Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create geo map from manually extracted values ?

georgear7
Communicator
‎07-21-2020 07:55 AM

I want to create geo map using 'geostats' command and am extracting and assigning country, latitude and longitude using eval command.

Source log file:

Application_NameTransaction_NameStatus
NP_DEV_AUHomepage0
NP_DEV_VNHomepage0
NP_DEV_AULogin1
NP_DEV_HKHomepage1
NP_DEV_IDLogin0
NP_DEV_IDHomepage0
NP_DEV_VNLogin0
NP_DEV_HKLogin1

 

Below is my query.

index=foo host=ab03u source=*sm.log sourcetype=bol_logs
| rex field=Application_Name "NP_DEV_(?<Market>\w+.*)"
| rex field=Application_Name "NP_DEV_(?<Market>\w+.*)"
| eval Country=case(Market=="HK","Hong Kong", Market=="TH","Thailand", Market=="VN","Vietnam", Market=="AU","Australia", Market=="ID","Indonesia", Market=="PH","Philippines", Market=="MY","Malaysia", Market=="SG","Singapore", Market=="CN","China")
| chart values(Status) by Country,Transaction_Name
| eval Result=case((Homepage!=Login), "Failure", (Homepage==0 AND Login==0), "Success", (Homepage==1 AND Login==1), "Failure")
| eval latitude=case(Country=="Hong Kong","22.396428", Country=="Thailand","15.870032", Country=="Vietnam","14.058324", Country=="Australia","-25.274398", Country=="Indonesia","-0.789275", Country=="Philippines","12.879721", Country=="Malaysia","4.210484", Country=="Singapore","1.352083", Country=="China","35.86166")
| eval longitude=case(Country=="Hong Kong","114.109497", Country=="Thailand","100.992541", Country=="Vietnam","108.277199", Country=="Australia","133.775136", Country=="Indonesia","113.921327", Country=="Philippines","121.774017", Country=="Malaysia","101.975766", Country=="Singapore","103.819836", Country=="China","104.195397")
| geostats latfield=latitude longfield=longitude values(Result) by Country

So, my final output will be,

CountryResult
AustraliaFailure
VietnamSuccess
Hong KongFailure
IndonesiaSuccess


From this table i want to create one geo map using 'geostats' command, output should be in bubbles. and whichever country having 'Failure' as the Result, it should shows in red color bubble & success should be in green color bubble.

When i used above query, it's not showing any result for cluster map.

@skakehi_splunk @rnowitzki @richgalloway @woodcock @somesoni2 @niketn ..Need all your expertise on this.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rnowitzki
Builder
‎07-23-2020 01:05 AM

Hi @georgear7 ,

I think I have what you need.

This SPL makes up some sample data of yours and puts it on a map:

| makeresults 
| eval "Country" = "Australia Vietnam HongKong Indonesia"
| makemv Country
| mvexpand Country
| eval Result = case(Country="Australia",2,Country="Vietnam",1,Country="HongKong",2, Country="Indonesia",1)
| eval latitude=case(Country=="HongKong","22.396428", Country=="Vietnam","14.058324", Country=="Australia","-25.274398", Country=="Indonesia","-0.789275")
| eval longitude=case(Country=="HongKong","114.109497", Country=="Vietnam","108.277199", Country=="Australia","133.775136", Country=="Indonesia","113.921327")
| geostats latfield=latitude longfield=longitude count by Result


=> Save it as Dashboard Panel and edit the source.
=> Add this to the Options:

<option name="mapping.fieldColors">{"1":"0x65a637","2":"0xd93f3c"}</option>


Et voila:

geostats_colors_test.PNG

 

 

 

 

 

 

 

 

I hope it helps

BR
Ralph

--
Karma and/or Solution tagging appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-21-2020 11:59 AM
The geostats needs positive numbers, not strings, to display.
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

georgear7
Communicator
‎07-21-2020 10:54 PM

@richgalloway I converted my output to numbers. Now, '0' means success, '1' means failure. and the requirement is to color it according to the values.

0 - Green color

1 - Red color

I have used below, but it's not helping.

<option name="mapping.fieldColors">{"0":0x00FF00,"1":0xFF0000}</option>

Please suggest how to achieve this.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-22-2020 05:41 AM
"It's not helping" what, exactly?
In my tests, zero values did not produce graphics, hence the "positive numbers" in my reply.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

georgear7
Communicator
‎07-22-2020 05:49 AM

@richgalloway Yes, you're correct. "0" is not giving graph.

So, I have assigned "1" is for 'Success' and "2" is for 'Failure'.

Now i want to color my bubble according to values. If it's 1, bubble should be in green color and if it's 2, it should be in red.

0 Karma
Reply
Solved! Jump to solution
Solution

rnowitzki
Builder
‎07-23-2020 01:05 AM

Hi @georgear7 ,

I think I have what you need.

This SPL makes up some sample data of yours and puts it on a map:

| makeresults 
| eval "Country" = "Australia Vietnam HongKong Indonesia"
| makemv Country
| mvexpand Country
| eval Result = case(Country="Australia",2,Country="Vietnam",1,Country="HongKong",2, Country="Indonesia",1)
| eval latitude=case(Country=="HongKong","22.396428", Country=="Vietnam","14.058324", Country=="Australia","-25.274398", Country=="Indonesia","-0.789275")
| eval longitude=case(Country=="HongKong","114.109497", Country=="Vietnam","108.277199", Country=="Australia","133.775136", Country=="Indonesia","113.921327")
| geostats latfield=latitude longfield=longitude count by Result


=> Save it as Dashboard Panel and edit the source.
=> Add this to the Options:

<option name="mapping.fieldColors">{"1":"0x65a637","2":"0xd93f3c"}</option>


Et voila:

geostats_colors_test.PNG

 

 

 

 

 

 

 

 

I hope it helps

BR
Ralph

--
Karma and/or Solution tagging appreciated.
Reply
Solved! Jump to solution

georgear7
Communicator
‎07-28-2020 07:47 AM

Hi @rnowitzki ,

Thanks for your efforts in getting this, i can able to color the bubble now.

One more help i need from you regarding changing the size of the map. If you look at the countries which i mentioned in query, those are belongs to Asia and Australia continent. So i want to show those countries region only in my map without manually zooming it every time.

 

Due to this reason, countries like Hong Kong, Thailand, Vietnam are coming as a big bubble when we are not zooming in.

0 Karma
Reply
Solved! Jump to solution

rnowitzki
Builder
‎07-28-2020 08:00 AM

Hi @georgear7 ,

This can be done with:

        <option name="mapping.map.center">(14,100)</option>
        <option name="mapping.map.scrollZoom">0</option>
        <option name="mapping.map.zoom">4</option>

 
I tried to set it around "your" countries", if not close enough, play around with the lat/long of the map.center and map.zoom option to set is as needed.


BR
Ralph

--
Karma and/or Solution tagging appreciated.
Reply
Solved! Jump to solution

georgear7
Communicator
‎07-28-2020 09:09 AM

Hi @rnowitzki ,

This is perfectly working fine, thanks a bunch for all your help. Much appreciated!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-22-2020 06:40 AM
I have not been successful specifying colors for a pie chart since the Advanced XML days. The Visualization manual does not list a way to do it.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...