Dashboards & Visualizations

Displaying City in Splunk 6 map tooltip

immortalraghava
Path Finder

Hi,

I using iplocation followed by geostats to plot my data in map. My query looks like this.

index=index_name | iplocation ip_address | geostats first(item_number) as Item

The query works fine and I get the value and label of the field Item in map marker tool tip.

Now I just try to display the City name along with the field like this

index=index_name | iplocation ip_address | geostats first(City) as City first(item_number) as Item

This search works fine and displays results in search page along with City name. But when used in map it does not display the field City in marker's tool tip.

I even assigned the value in City field to a different field using eval and tried to display that field but it did not work.

I cannot use by City like this

index=index_name | iplocation ip_address | geostats first(item_number) as Item by City

because geostats does not allow aliases if I use group by. I get his error in search page

Error in 'geostats' command: The argument 'Item' is invalid. 

Any ideas on how to display City name ? Any help is appreciated.

Thanks

1 Solution

kmattern
Builder

I had a similar situation. I wanted to count by two fields but geostats would not allow that. So I created a new field combining the two fields I needed and did my count by the new field and it worked. Here is part of a sample search.

... | eval CountInfo=DateTime.": ".Location | table DateTime, Location, CountInfo | geostats latfield=lat longfield=lon count by CountInfo

The resulting tooltip included both the date and time info as well as the location. Exactly what I wanted.

View solution in original post

dhirendra761
Contributor

This app will be helpful:
https://splunkbase.splunk.com/app/3124/

0 Karma

wweiland
Contributor

I'm seeing the same problem as well. I believe the documentation says you should be able to use AS and BY in the same geostats, but it doesn't seem to work.

geostats sum(accepted),sum(denied),sum(unapproved) by app works
geostats sum(accepted) as accepted,sum(denied) as denied,sum(unapproved) as unapproved by app fails

0 Karma

Venkat_16
Contributor

Hi i tried the similar method and was successful in bringing city name to tooltip, but the issue is am getting different colors for different cities i need it to display the color of city based on severity,, the query goes like .."eval sev=case(units>=120,"sev1",units<120 AND units>=50,"sev2",units<25,"sev3") | eval new_field=city.": ".sev | geostats globallimit=0 latfield=latitude longfield=longitude count by new_field

0 Karma

kmattern
Builder

I had a similar situation. I wanted to count by two fields but geostats would not allow that. So I created a new field combining the two fields I needed and did my count by the new field and it worked. Here is part of a sample search.

... | eval CountInfo=DateTime.": ".Location | table DateTime, Location, CountInfo | geostats latfield=lat longfield=lon count by CountInfo

The resulting tooltip included both the date and time info as well as the location. Exactly what I wanted.

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...