Dashboards & Visualizations

GEOSTATS - unable to set Color ranges properly

avaishsplunk
Path Finder

I have the below scenario:

Org OrderLine
A1 1
A2 2
A3 4
A5 1

when i do geostats sum(ColorCode) by Org and try to display colors on the basis of Color codes(e.g. Green for 1), the map is not displaying the color codes it is randomly picking up the colors. The requirement is to show bubbles for each Org with color coding as per the output.

I did tried bucketing the colors and using color options e.g. eval yellowCount = if(Orderline = 2,2,0) but that didn't worked:

{greenCount:0x6dc066,yellowCount:0xffd700,redCount:0xe60026,orangeCount:ff3d00,blueCount:1a237e}

Tags (1)
0 Karma

niketn
Legend

alt textIf you are able to plot the series on Geo Map with the series names: greenCount blueCount yellowCount orangeCount and redCount then you can use mapping.fieldColors for applying specific color to the series.

Following is an example for redCount and greenCount using hex code for respective colors. You can use mapping.fieldColors

<option name="mapping.fieldColors">{redCount:0xFF0000,greenCount:0x00FF00}</option>

Refer to the following documentation (also look at seriesColors option)
http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#map_.28event_t...

UPDATED: Added sample screenshot with for above mapping.fieldColors example for redCount and greenCount fields.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

Can you share part of query that plots the geostats?

Also hover over your GeoStats pie, and see the series names displayed in the pie.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

When you asked your question and mentioned that your GeoStats is picking Random colors, can you check the names of pie slices which are showing Random Colors? You would need to rename and set a color for those slices(field names).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

avaishsplunk
Path Finder

geostats latfield=Latitude longfield=Longitude sum(Delta1) as Orderline by dis_string maxzoomlevel=9 globallimit=0|eval redCount = if(Orderline = 4,4,0) | eval yellowCount = if(Orderline = 2,2,0)| eval greenCount = if(Orderline = 1,1,0) |eval orangeCount = if(Orderline = 3,3,0)|eval blueCount = if(Orderline = 5,5,0)| fields - Orderline

0 Karma

avaishsplunk
Path Finder

The above is my geostats query, the above stats shows a pie chart with values for each dis_string value with multiple colors, event though i specified the color as:

{greenCount:0x6dc066,yellowCount:0xffd700,redCount:0xe60026,orangeCount:ff3d00,blueCount:1a237e}

0 Karma

avaishsplunk
Path Finder

The value in dis_string is like this "ABC - Lines Imported - 10: Released:10" , this way i want to show for all dis_string values for each city or can say latitude/longitude, Delta1 is just a number like 1, 2,3,4, 5 which I have put to create different buckets

|inputlookup CDCRDCGeoCodes.csv |eval linecount=0 |eval lcount=0 |fields ORGANIZATION_CODE,linecount,Lat,Long, DESCRIPTION| append [search index= log-ebs-nprod sourcetype=ebs-events |search "ROF_ROI_ORDER_LINE_COUNT" |spath output=OpName path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.operationName |spath output=EvType path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.eventTypeCode |spath output=Header_Count path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute1 |spath output=Line_Count path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute2 |spath output=Org_Code path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute3 |spath output=status path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute4 |spath output=TimeZone path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute5 |spath output=CDC_RDC path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute6 |eval combined=mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(OpName,EvType),Header_Count),Line_Count),Org_Code),status),TimeZone),CDC_RDC) |mvexpand combined |eval combined=split(combined,",") |eval OpName=mvindex(combined,0) |eval EvType=mvindex(combined,1) |eval Header_Count=mvindex(combined,2) |eval Line_Count=tonumber(mvindex(combined,3)) |eval Org_Code =mvindex(combined,4) |eval status =mvindex(combined,5) |eval TimeZone=mvindex(combined,6) |eval CDC_RDC=mvindex(combined,7) |stats sum(Line_Count) as linecount by Org_Code |rename Org_Code as ORGANIZATION_CODE |fields linecount,ORGANIZATION_CODE,Lat,Long, DESCRIPTION] |stats sum(linecount) as "Imported", values(Lat) as "Latitude", values(Long) as "Longitude", values(DESCRIPTION) as "OrganizationName" by ORGANIZATION_CODE | join type=outer ORGANIZATION_CODE[|inputlookup CDCRDCGeoCodes.csv| eval Line_Count=0|fields ORGANIZATION_CODE,Line_Count,DESCRIPTION | append[search index=log-ebs-nprod sourcetype=ebs-events| search "ROF_DR_PUB_LINE_COUNT"|spath output=OpName path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.operationName|spath output=EvType path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.eventTypeCode|spath output=Header_Count path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute1|spath output=Line_Count path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute2|spath output=Org_Code path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute3|spath output=status path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute4|spath output=TimeZone path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute5|spath output=CDC_RDC path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute6|spath output=Ord_Type path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute7 |eval combined=mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(OpName,EvType),Header_Count),Line_Count),Org_Code),status),TimeZone),CDC_RDC),Ord_Type) | mvexpand combined |eval combined=split(combined,",") |eval OpName=mvindex(combined,0) |eval EvType=mvindex(combined,1) |eval Header_Count=mvindex(combined,2) |eval Line_Count=mvindex(combined,3) |eval Org_Code =mvindex(combined,4) |eval status =mvindex(combined,5) |eval TimeZone=mvindex(combined,6) |eval CDC_RDC=mvindex(combined,7) |eval Ord_Type=mvindex(combined,8) |where Ord_Type="COO" | rename Org_Code as ORGANIZATION_CODE] |stats sum(Line_Count) as "Released" by ORGANIZATION_CODE]|fields ORGANIZATION_CODE, Imported, Released, Latitude, Longitude |eval Delta = Imported - Released| eval Delta1 = case((Imported >0 AND Released > 0 AND Delta = 0), "1",(Imported > 0 AND Released > 0 AND Delta !=0), "2",(Imported = 0 AND Released =0),"3",(Imported > 0 AND Released = 0),"4",(Imported > 0 AND Released > 0 AND Delta <0),"5",1=1,"Other")| eval dis_string = ORGANIZATION_CODE.+" :Imported: "+ Imported + ": Released :"+ Released| fields ORGANIZATION_CODE, dis_string, Delta,Delta1 , Latitude, Longitude|geostats latfield=Latitude longfield=Longitude sum(Delta1) as Orderline by dis_string maxzoomlevel=9 globallimit=0|eval redCount = if(Orderline = 4,4,0) | eval yellowCount = if(Orderline = 2,2,0)| eval greenCount = if(Orderline = 1,1,0) |eval orangeCount = if(Orderline = 3,3,0)|eval blueCount = if(Orderline = 5,5,0)| fields - Orderline

0 Karma

niketn
Legend

As per the code above, do you get series as greenCount, blueCount, yellowCount, orangeCount and redCount when you hover in your Map?

If so then the code similar to the I have provided should work. If not please change the names accordingly in mapping.fieldColors.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

I have updated my answer with sample screenshot.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

avaishsplunk
Path Finder

Thanks a lot NiketNilay for the prompt help, but this is not going to work for me, in my scenario , i gave different colors which specifies different scenarios in the data we are plotting e.g.
If Imported = 0 and Released = 0 (GreenColor),
if imported = 10 , Released = 0 (RedColor)

the kind of scenario will be for all cities across US, so the map should show an alarm kind of thing for a city when Imported = 100 but released = 0 (Red Color)

What i did was i eval'ed these scenarios as values e.g. 1 for greencolor, 2 for redcolor and was plotting on the map by dis_string which as i mentioned above (ABC - Lines Imported - 10: Released:10) so that each city can show the imported v/s released status.

Hope it is not too confusing for you, let me know in case you need more details on my scenario....

Thanks a lot for your help on this

0 Karma

avaishsplunk
Path Finder

This is the reason I posted earlier

Org(Dis_String) ColorCoding
A1 1
B1 2
C1 1
D1 3

Regards,

0 Karma

niketn
Legend

Thanks for explaining, maybe I was overwhelmed by the length of your Splunk query and hence overlooked the details.

You are not trying to color geo stats based on series depicted rather you are looking at range value which is not even plotted. I am not sure as to how that can be done. You may want to look at Choropleth map, where you can color map based on ranges (however, values from range needs to be plotted on the geostat).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...