Knowledge Management

Create a geo map based on 3 letter country code

md_imran
New Member

I have a query to returns stats count based on the ISO 3 letter country code. How can I create a map visualization for this data?

0 Karma

acharlieh
Influencer

No extra apps are required to accomplish this. I can give you two options here, both using only things that come with Splunk Enterprise by default.

The simplest method (no configuration changes needed), if you look in the search app, you'll see that there's a built in lookup called geo_attr_countries This lookup has (among other things) iso2 and iso3 letter codes mapped to country names.

Using this this lookup, I can actually make a simulation of your data set, where I have a code and a count:

| inputlookup geo_attr_countries | fields iso3 | eval select=case(random()%10==2,"yes"),count=random()%100+1 | where select="yes" and isnotnull(iso3) | fields - select | rename iso3 as code

I'm using this starting point, you'd use your own starting point... but assuming my base search has fields code and count, I can use the lookup to resolve the code to a Country name, and the geom to turn the Country name into a geometry (suitable for display on a chloropleth map) like so:

<base search> | lookup geo_attr_countries iso3 as code OUTPUT country | geom geo_countries featureIdField=country | fields country count geom

Another potential option, involves defining a new geospatial lookup. In Settings > Lookups > Lookup Definitions, you're going to create a new lookup, with type=Geospatial using the lookup file geo_countries.kmz... name can be whatever you want (I chose geo_countries_iso3), but under Advanced options you need to define the Feature Id Element as the following: /Placemark/ExtendedData/SchemaData[@schemaUrl="#countries"]/SimpleData[@name="ISO3"]

Instead of using the country name, this now is a lookup using the 3 letter ISO code as a feature ID. With that knowledge object created and shared with those who will need it, you can now just use the geom command directly:

<base search> | geom geo_countries_iso3 featureIdField=code

There are of course other ways to do this as well (use the geo_attr_countries before your stats, so your stats are by country instead of by ISO3 letter code)... But again, no additional apps are in fact required for this ask

0 Karma

md_imran
New Member

Appreciate your answer.

I was able to lookup geo_attr_countries and use it to generate the chloropleth map. I was trying to use the cluster map with the same query, but the visualization comes up as a blank map. Cluster Map documentation on splunk indicates, it works with Lat, Long.

Is there a way to visualize using cluster map with country code rather than cloropleth.

0 Karma

acharlieh
Influencer

It's certainly possible... You'd just need to convert from a country code to a lat, long first. There are many ways you could do this, importing and leveraging a lookup of 2 letter ISO country code to the centroid coordinates for example (I'm sure you've noticed that geo_attr_countries has both 2 letter and 3 letter ISO codes)... and then leverage the geostats command.

But that said, in your presentation you should make sure that with your labeling your viewers understand the degree of accuracy of the data that you are presenting on this map/visualization.

Basically you're taking data that represent areas (country codes), and reducing them to single points. When people interpret points for when they instead need areas... this sort of thing has quite the history of going quite wrong. But if a cluster map is what you need, such a scheme could work.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Hello @md_imran,
Hopefully, this GeoLocation App will help you.

0 Karma

acharlieh
Influencer

I downvoted this post because reading through the linked app, it does not use 3 letter iso country codes. while apps posted to splunkbase can sometimes solve problems, blind recommendations to pull apps based on keywords do not make for good answers. a better answer would point out what in the app would help solve the problem at hand.

in fact, as i point out in my answer, this question can be solved without any additional apps, provided a new enough version of splunk enterprise.

0 Karma
Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...