Solved: help on custom cluster map

jip31 · ‎02-02-2022

hi

I use the search below in order to display the number of events corresponding to my main search on a cluster map

There is a gap between the results displayed on my map and the results of the main search

I have identified a first problem

Some sites between the lookup and splunk are a little bit differents

For example, I have a site calle "LA BA" in Splunk and "LA BAUME" in the csv

So what I have to do that the sites match well?

index=toto sourcetype=tutu
| stats dc(id) as nbincid by site 
| where isnotnull(site) 
| join type=left site 
    [| inputlookup Bp.csv 
    | rename siteName as site 
    | fields site latitude longitude ] 
| table site nbincid latitude longitude 
| geostats latfield=latitude longfield=longitude globallimit=0 values(nbincid)

johnhuang · ‎02-02-2022

The marker size you set on the cluster map will group locations that falls within that radius together.

View solution in original post

johnhuang · ‎02-02-2022

The marker size you set on the cluster map will group locations that falls within that radius together.

jip31 · ‎02-02-2022

yes you are right

So if i well understand it's not possible to display the results on the map one shot?

last thing, I have you an idea for the site which have a different name between splunk and the lookup?

help on custom cluster map

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?