I have performed step by step this blog: "http://blogs.splunk.com/2015/10/01/use-custom-polygons-in-your-choropleth-maps/" but doesn't work.
These are the steps I've done:
1- Etxract file cb_2014_us_cd114_500k.kml from cb_2014_us_cd114_500k.zip
2- Zip file cb_2014_us_cd114_500k.kml in my_lookup.kmz
3- Upload the KMZ file to the Lookup table files manager page (see blog)
4- Add new Lookup definitions with the correct XPath (see blog)
So, in search i tried this SPL "| inputlookup my_lookup", this return more then 1000result but i cant see nothing in "statistics" or "visualization"
Where am I wrong?
Thanks
First, read the best treatment of Splunk and mapping anywhere:
https://www.splunk.com/en_us/blog/tips-and-tricks/use-custom-polygons-in-your-choropleth-maps.html
The | inputlookup my_lookup
is just to see if you can access the featureId
and geom
fields inside of you KML
or KMZ
file. If it is built in such a way that Splunk can use it, you should see many lines returned on the Statistics
tab. It sounds like you got this far. If you did not, consider using the Shapester - Geo Shape Editor
app on Splunkbase
(https://splunkbase.splunk.com/app/2893/) to build some shapes into a KML
file that definitely should be Splunk-geo-compatible. If you then click on the Visualization
tab, you should be able to see the results on a map but you must do ALL of the following:
1: Select the `Choropleth Map` visualization.
2: Keep `zooming` and `centering` your view until it is positioned over the location of the shapes in your file.
3: If your shapes are small, you will find that the default maps do not allow enough `zoom` to see them; to fix this....
4: Click on the `Format` tool (the `paint brush` icon) and go to the `Tiles` section.
5: Look at the comment that says `The URL to use for requesting tiles, ex: http://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png` and grab the `http://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png` text and paste it into the `URL` field. Instantly you should have infinite `zoom` detail. Really, this is probably the `secret magic` that you lacked. This is not clearly documented anywhere and we only discovered it by accident playing around.
It really helps to take a look at the Choropleth Map Color Modes
example with San Francisco Neighborhoods
in the Map Elements
area of the Splunk Dashboard Examples
app on Splunkbase
(https://splunkbase.splunk.com/app/1603/). It shows you how to do everything EXCEPT for the magical #5 step. Although the recommended tile set is really good, there are many, MANY, options out there so be sure to try a variety. Here are some alternative tile sets that render instantly in Splunk:
https://wiki.openstreetmap.org/wiki/Tile_servers
OpenStreetMaps: http://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png
Wikipedia: https://maps.wikimedia.org/osm-intl/{z}/{x}/{y}.png
OpenCycleMap: http://tile.thunderforest.com/cycle/{z}/{x}/{y}.png
Humanitarian Style: http://a.tile.openstreetmap.fr/hot/{z}/{x}/{y}.png
Hike and Bike: https://tiles.wmflabs.org/hikebike/{z}/{x}/{y}.png
Just leave out the ".kmz" extension
I had written badly in this question, now its correct.
I tried it according to the blog you mentioned and it worked without any complication. Are there any permission problem, e.g. the lookup definition is (app)-private and you try to use it in some different app or context than where you defined it?
This is my configuration:
- Lookup table files: sharing "private" and app "search"
- Lookup definitions: sharing "private" and app "search"
- Owner: the same who created lookup table and lookup definition and run the SPL code.
Where could you see these "more than 1000 results"? After running this command I was directly led to the "statistics" tab with only 441 results.
What's in your /opt/splunk/etc/users/<your_login_name>/search/lookups
directory?
I have:
drwx------. 2 splunk splunk 166 21. Jun 12:00 my_lookup
-rw-------. 1 splunk splunk 5528634 21. Jun 11:58 my_lookup.kmz
and in the my_lookup
subdir I got:
-rw-------. 1 splunk splunk 328032 21. Jun 12:00 grid.key
-rw-------. 1 splunk splunk 63532814 21. Jun 12:00 grid.val
-rw-------. 1 splunk splunk 63384 21. Jun 12:00 ray.key
-rw-------. 1 splunk splunk 63384 21. Jun 12:00 ray.t.key
-rw-------. 1 splunk splunk 13295927 21. Jun 12:00 ray.t.val
-rw-------. 1 splunk splunk 20392363 21. Jun 12:00 ray.val
-rw-------. 1 splunk splunk 16221144 21. Jun 12:00 seg.key
-rw-------. 1 splunk splunk 16221144 21. Jun 12:00 seg.t.key
-rw-------. 1 splunk splunk 63532814 21. Jun 12:00 seg.t.val
-rw-------. 1 splunk splunk 63532814 21. Jun 12:00 seg.val
If you are on Windows I presume it will should look similar - at least regarding the file-/directory names.
In my /opt/splunk/etc/users//search/lookups directory i don't have the subfolder my_lookup
Did you select type "Geospatial" in the lookup definition?
yes, I have performed step by step the blog.
I re-defined the lookup in my environment and got the same result again.
The my_lookup
-dir is created and filled during the first call to | inputlookup my_lookup
. So it's not surprising that you don't have it.
Even after redefinition I got 441 entries in my statistics tab, not more than 1000. So what's in your local/transforms.conf
-file regarding your my_lookup (located in the same directory as your lookup-dir)?
To check the source: I use cb_2014_us_cd114_500k.zip
with a sha256sum of 100d747b89728dd1249a8d83c311691358072e62a9a7aff592edf49321f22083
. My uploaded my_lookup.kmz
is 5528634 Bytes in size.
Did you define any other lookup named my_lookup some time before?