Dashboards & Visualizations

Geospatial lookup returns wrong results

friderikab
Observer

Hi everyone, 

I have a problem with identifying if a point is within a polygon or not.

For the same latitude and longitude, sometimes I get right results, but sometimes not. I get wrong results if I search for more IDs (so there are more events) or I change the time range (not necessarily bigger).

The line which causes the issue: | lookup some_lookup_name latitude longitude

right resultsright results

wrong resultswrong results

friderikab_0-1611930955224.png

Thanks in advance 🙂

 

Labels (1)
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @friderikab,

It is not possible to guess without seeing your search, could you please show your search? How do you pass latitude longitude fields to lookup?

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

friderikab
Observer

Hi,

We have reproduced the issue with sample data and simple geospatial lookup. All events with id=1 are inside the geofence, events with id=2 are outside. We are getting incorrect results (different when sorting according to time). We have two sample data sources (data_sample_2 has changed latitude in one of the events for id=2, from 51.501835 to 51.501836).

When sorting from earliest to latest, all events are inside:

friderikab_0-1615216709478.jpeg

When sorting from latest to earliest, some events for id=1 are outside (which is incorrect):

friderikab_1-1615216747174.jpeg

Removing event with problematic latitude: 

friderikab_2-1615217131494.jpeg

Search:

index="debug_idx" source="data_sample_1"
| eval time_epoch=_time
| sort 0 _time
| lookup geo_4 latitude longitude
| table id latitude longitude _time time_epoch featureId featureCollection
| noop search_optimization=false

Data_sample_1:

{"location":{"state":{"position":{"timestamp":"2021-01-11T01:14:34.000Z","latitude":51.501835,"longitude":6.906453}}},"ident":{"attr":{"id":"2"}}}}
{"location":{"state":{"position":{"timestamp":"2021-01-11T01:14:34.000Z","latitude":51.501835,"longitude":6.906453}}},"ident":{"attr":{"id":"2"}}}}
{"location":{"state":{"position":{"timestamp":"2021-01-06T22:23:23.000Z","latitude":53.500091,"longitude":9.909387}}},"ident":{"attr":{"id":"1"}}}}
{"location":{"state":{"position":{"timestamp":"2021-01-06T22:16:58.000Z","latitude":53.49732,"longitude":9.9082}}},"ident":{"attr":{"id":"1"}}}}
{"location":{"state":{"position":{"timestamp":"2021-01-06T22:13:30.000Z","latitude":53.501923,"longitude":9.910017}}},"ident":{"attr":{"id":"1"}}}}
{"location":{"state":{"position":{"timestamp":"2021-01-06T22:13:15.000Z","latitude":53.501923,"longitude":9.910017}}},"ident":{"attr":{"id":"1"}}}}

Data_sample_2:

{"location":{"state":{"position":{"timestamp":"2021-01-11T01:14:34.000Z","latitude":51.501836,"longitude":6.906453}}},"ident":{"attr":{"id":"2"}}}}
{"location":{"state":{"position":{"timestamp":"2021-01-11T01:14:34.000Z","latitude":51.501835,"longitude":6.906453}}},"ident":{"attr":{"id":"2"}}}}
{"location":{"state":{"position":{"timestamp":"2021-01-06T22:23:23.000Z","latitude":53.500091,"longitude":9.909387}}},"ident":{"attr":{"id":"1"}}}}
{"location":{"state":{"position":{"timestamp":"2021-01-06T22:16:58.000Z","latitude":53.49732,"longitude":9.9082}}},"ident":{"attr":{"id":"1"}}}}
{"location":{"state":{"position":{"timestamp":"2021-01-06T22:13:30.000Z","latitude":53.501923,"longitude":9.910017}}},"ident":{"attr":{"id":"1"}}}}
{"location":{"state":{"position":{"timestamp":"2021-01-06T22:13:15.000Z","latitude":53.501923,"longitude":9.910017}}},"ident":{"attr":{"id":"1"}}}}

Geolookup_4.kml

<?xml version="1.0" encoding="utf-8" ?>
<kml xmlns="http://www.opengis.net/kml/2.2">
<Document id="root_doc">
<Schema name="geo_4" id="geo_4">
	<SimpleField name="Name" type="string"></SimpleField>
</Schema>
<Folder>
<name>geo_4</name>
<Placemark>
    <name>{"place":"Location 1","category":"Locations","description":["A"],"subdescription":"01"}</name>
    <Style><LineStyle><color>ff0000ff</color></LineStyle><PolyStyle><fill>0</fill></PolyStyle></Style>
    <Polygon><outerBoundaryIs><LinearRing><coordinates>9.92195,53.51249 9.92848,53.49588 9.89352,53.49482 9.89561,53.51567 9.92195,53.51249</coordinates></LinearRing></outerBoundaryIs></Polygon>
</Placemark>
</Folder>
</Document></kml>
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...