Greetings,
I am running into an issue where if I zoom on a choropleth map and multiple colors exist in the legend, it just starts multiplying the choropleth output over and over again making a jumbled mess:
You can replicate the issue by running your query like the following:
|inputlookup coverage_countries.csv | search coverage="A" OR coverage="B" | lookup geo_attr_countries country as Country_Name OUTPUT country | fields country, coverage| geom geo_countries featureIdField=country
To explain the above, "coverage_countries.csv" is essentially a lookup file that contains columns "coverage" and "Country_Name", where the Country_Name cell values match the country cell values found in the splunk default geo_attr_countries lookup, and the "coverage" cells contain various coverage options (these will make up the different "colors" that will show on the map). For replication purposes you could just give coverage "A" the values of Mexico, United States, and Canada, and then for coverage "B" give it those countries in addition to the Central American countries and Carribean Islands. Now when you run the above query, the initial results look fine, but if you try zooming in and out and you will get the wonky results shown in my screenshot (and they continue to get worse the more and more you zoom in and out). If you limit the "coverage" value to only query on one coverage type (B for example), the issue is not present and zooming works just fine.
Is this a bug or am I misunderstanding something about the behavior I am experiencing with this?
Looks like a bug to me. I was able to fully duplicate your issue with the following run-anywhere code -
| inputlookup geo_attr_countries | where continent="North America"
| eval coverage=case(country="Canada","A B",country="Mexico","A B", country="United States", "A B", true(), "B")
| table country, coverage| makemv coverage | mvexpand coverage | sort coverage, country
| lookup geo_attr_countries country as Country_Name OUTPUT country | fields country, coverage
| geom geo_countries featureIdField=country
Interesting feature - the choropleth map is retaining the color across searches, even when the underlying data changes. For instance, I inserted...
| where country!="Aruba"
...and the number of results changed from 45 to 44, but the map did not lose the color.
The problem appears to be related to color painting when multiple regions are laid on top of each other.
It seems like during rendering...
1) The map paints the first region color.
2) The map paints the second color on top of the first color.
3) When the zoom level changes, the second color is removed, but the underlying first color is not -- becoming a permanent part of the "canvas", so to speak.
4) The only way to refresh the canvas is to switch to a different visualization and back (sometimes through two different visualizations).
The above happens at all levels of opacity up to 100% opaque.
Looks like a bug to me. I was able to fully duplicate your issue with the following run-anywhere code -
| inputlookup geo_attr_countries | where continent="North America"
| eval coverage=case(country="Canada","A B",country="Mexico","A B", country="United States", "A B", true(), "B")
| table country, coverage| makemv coverage | mvexpand coverage | sort coverage, country
| lookup geo_attr_countries country as Country_Name OUTPUT country | fields country, coverage
| geom geo_countries featureIdField=country
Interesting feature - the choropleth map is retaining the color across searches, even when the underlying data changes. For instance, I inserted...
| where country!="Aruba"
...and the number of results changed from 45 to 44, but the map did not lose the color.
The problem appears to be related to color painting when multiple regions are laid on top of each other.
It seems like during rendering...
1) The map paints the first region color.
2) The map paints the second color on top of the first color.
3) When the zoom level changes, the second color is removed, but the underlying first color is not -- becoming a permanent part of the "canvas", so to speak.
4) The only way to refresh the canvas is to switch to a different visualization and back (sometimes through two different visualizations).
The above happens at all levels of opacity up to 100% opaque.
A bug has been filed for this issue in: SPL-144955. Contact Splunk support for more info.
Up vote for very nice description of how to duplicate the problem.
If you can still edit tags, add the tag "bug" to this to get splunk's attention.