I have a dataset of events around a particular city which I wish to represent on a heat map. I have a lookup to each latitude and longitude, but when I try and produce a map it seems to combine all the events into 1 lat and long location.
How can I drill down further?
my search code looks like
index=edisyslogdata exEventType="Area Change" streetName!=NULL | lookup EdiStreetAssets StreetAsset as apId | table apId, streetName, lat, long | geostats latfield=lat longfield=long count BY apId
Your dataset of events are too near to each other . Try to use below. This app will be helpful:
https://splunkbase.splunk.com/app/3124/
I hope its because of restriction no of Clusters
By default It will be 100, change it to 10000 or 100000 & check it.
It's works for me,
In Source XML:
option name="mapping.data.maxClusters">100000/option>
@ajobling1964 - did you get a chance to check with above option..
thanks - I have experimented with various combinations of cluster and binspanlat and binspanlong settings. The latest results in my clusters appear momentarily and then disappearing!
I guess what I'm really after is decent documentation and examples of code for heat maps (over a time period) and cluster maps.
@ajobling1964, you can use mapping.map.zoom
and mapping.map.center
to set initial location/zoom for the visualization on loading. You can use scroll to zoom in and zoom out(provided scroll zoom is enabled through Edit > Format option) or else through mapping.map.scrollZoom
Chech out Splunk documentation for Map Simple XML configuration reference: http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#map
@ajobling1964, are you using built in map or some other custom visualization app which plot map?
It's the open street map which is one of the preset configurations on the Tiles tab.