Hey fellow Splunkers. I'm working on mapping some of my data and ran into a bit of a snag.. With the first search example below, I managed to get my IPS data populating the map sequentially. The problem is, I don't believe it's possible to change the first (min?) color. What I'm left with is everything being white except for the top hitting country, because of the large discrepancy in numbers. E.g.: first series ends up being 0-1000 which is most countries and the top country ends up being 10000-12000.

index=IPS source=IPS | iplocation src_ip | stats count by Country | geom geo_countries featureIdField="Country"

So, I found a way to fix it! Dynamically allocating categories in a "categorical" type map and assigning the series colors in the XML. It worked... for the most part... As it turns out, the first category that populates grabs the first color and it continues on from there as it goes through the logs. If it hits a log from China first, but China ends up being the second from the top, it has the first color. This ends up with a random assortment of colors from my hard-coded list in the final series list. E.g.: If I have color1,color2,color3 in the xml, I might end up with a series/color listing of color2,color1,color3. Below is the code I have to get to this point.

XML: <option name="mapping.seriesColors">[0xafcdff, 0x7cadff, 0x5695ff, 0x2b7aff, 0x005fff]</option>
Search: index=IPS source=IPS | iplocation src_ip | stats count by Country | geom geo_countries featureIdField="Country" | kmeans k=5 count | eventstats min(count) AS min, max(count) AS max by CLUSTERNUM | sort max | eval count=min."-".max | fields - CLUSTERNUM centroid_count max min

Does anyone have any recommendations where I can better control the assignment of colors to each series? I want to end up with a sequential-type map, but be able to have any country with a value of >0 to not be white.

Thank you in advance.