geostats cluster map help

shrija

This spl query | geostats count latfield=lat longfield=lon gives visualization as cluster map where if we zoom in we will find bubbles. But I want it to be a continuous line instead of bubbles. Is it possible to do in splunk?

Also can we plot the below 2 geostats graphs within one visualization in splunk?

1.>|geostats values(Good) as Good values(Resetting) as Resetting values(Starting) as Starting values(Unknown) as Unknown values(Faulty) as Faulty latfield=lat longfield=lon
2.> | geostats count latfield=lat longfield=lon

| want the visualizations to be plotted as map only and not as time based charts.

shrija

I have 2 concerns to address. First I will describe the first one, once its done I will describe the second one.

Below is how my spl query of 1st panel looks like.

eventtype="example1" OR eventtype="example2" airline="airline1" AND aircraft="aircraft1"
|sort 0 _time
|rex for latitude and longitude
|table _time airline aircraft lon lat flight_number
|streamstats current=f last(flight_number) as p_fn
|eval flight_number=if(isnull(flight_number),p_fn,flight_number)
|search flight_number="filghtnumber1"
|geostats count latfield=lat longfield=lon

This gives visualization like the below.

But I want it to be shown as continuous line instead of bubbles. Is it possible to be done using any other visualization or modifying the spl query shared?
I am not working for any specific geographic region.

VatsalJagani

|geostats values(Good) as Good values(Resetting) as Resetting values(Starting) as Starting values(Unknown) as Unknown values(Faulty) as Faulty latfield=lat longfield=lon

* How would you put values on Map visualization?

tscroggins

If the Good, Resetting, etc. fields are counts, @shrija may have been looking for this:

| fields lat lon Good Resetting Starting Unknown Faulty
| eval Count=0
| foreach Good Resetting Starting Unknown Faulty
    [| eval Count=Count+coalesce('<<FIELD>>', 0) ]
| geostats globallimit=0 latfield=lat longfield=lon sum(Good) as Good sum(Resetting) as Resetting sum(Starting) as Starting sum(Unknown) as Unknown sum(Faulty) as Faulty sum(Count) as Count

However, the cluster map visualization generates a pie chart with one half of the pie representing the total count and the other half of the pie representing the individual sums:

shrija

I have the spl query with me for the pie chart(good, resetting options). Just that I have to plot this visualization with another one in the same map. Both of the queries which are to be shown together is using geostats command. Is it possible to plot 2 graphs in a map in splunk?

tscroggins

Hi @shrija,

You can create choropleth (shaded outline) maps in both Classic (Simple XML) and Dashboard Studio map visualizations. In Simple XML, you can also create categorical choropleth maps and pie chart bubbles. In Dashboard Studio, you can create pie charts bubbles and categorical markers. Neither supports color bars.

To map events to geographic boundaries, you can use the bundled United States geo lookups or you can upload custom KML files. Combined with a custom tile server, the KML files can represent anything with features and coordinates: topographical maps, nautical charts, office layouts, theme parks, rail/subway systems, etc.

Are you working with a specific geographic region?

shrija

can you explain me in detail please? What issue the solution of yours will resolve?

geostats cluster map help

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)