I'm currently working on a project that maps different events at different times in different service areas, and so far I've had a lot of luck with geostats. I'm fairly new to Splunk, SQL and XML but have been able to do a lot on my own. I have two questions:
1. Each event that is accumulated in the geostats map has a value assigned to it (between 0 and 7) in a particular field. Is there a way for me to assign a color to each value? I want to be able to look at the map and be able to discern between these different values.
2. I also created a table with these values with the Lat, Long, Time and Value [the 0-7] but I want to be able to link it to my geostats map. Is there a way that one could highlight/reveal the plot point, either when hovering over a row or clicking on it within the table?
I'll number and post both search strings:
1. Geostats map:
source="e:\\folder" | rex field=_raw "longitude:(?<long>.*) latitude:(?<lat>.*)" | rex field=_raw "value_id:(?<Value>.*)" | rex field="date_hour" "(?P<Time>[^\s]+)" | search long!="null"| search lat>"0" | eval n=tonumber(long)| eval n=tonumber(lat) | eval lat=printf("%.*f", 8, lat) | eval long=printf("%.*f", 8, long) | eval Time=strftime(_time, "%b-%d %H:%M:%S.%Q") | geostats count longfield=long latfield=lat translatetoxy=true maxzoomlevel=10
2. Table:
source="e:\\folder" | rex field=_raw "longitude:(?<long>.*) latitude:(?<lat>.*)"| rex field=_raw "value_id:(?<Value>.*)" | rex field="date_hour" "(?P<Time>[^\s]+)" | search long!="null"| search lat>"0"| eval n=tonumber(long)| eval n=tonumber(lat) | eval n=tonumber(Value)| eval long=long*-180/pow(2, 23) | eval lat=lat*90/pow(2, 23) | eval lat=printf("%.*f", 8, lat)| eval Balue=printf("%.1s",Value) | eval long=printf("%.*f", 8, long) | eval Time=strftime(_time, "%b-%d %H:%M:%S.%Q") | table lat, long, Time, Value
Also if anyone has any criticism to how I can clean this up let me know. Again, I'm fairly new to this.
Thanks!