Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

help on map visualisation

jip31
Motivator
‎11-19-2021 12:48 AM

hi

I use a basic search in order to count the number of incidents by town

index=toto sourcetype=tutu 
| stats dc(id) by site

Now I would be able o display this results on a map in order to have a bubble with the number of incidents for each site

So I have created a lookup (gps.csv) like this

site,Longitude,Latitude,
AGDE,3.4711992,43.3154
NANTES,-1.58295,47.235197
TOULOUSE,1.3798,43.6091

So what I have to for doing a cross between my search and my lookup in order to have a bubble count on my map vizualisation?

thanks

 

Tags (1)
0 Karma
Reply

jip31
Motivator
‎12-01-2021 10:05 PM

I see the events only in the "events" tab

jip31_0-1638424905047.png

But i cant see the events related to my lookup 

Yet, if i just execute, I can see the events

| lookup gps.csv site

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-19-2021 05:23 AM

Does this help?

| lookup gps.csv site
0 Karma
Reply

jip31
Motivator
‎11-21-2021 09:30 PM

I have no isssue but nothing is dispalyed on the map.....

I have done this

 

index=toto sourcetype=tutu  
| lookup gps.csv site 
| geostats dc(id) latfield=Latitude longfield=Longitude by site

 

what is wrong please??

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-28-2021 11:00 PM

What are your resilts after just lookup?

What are your results after geostats?

0 Karma
Reply

jip31
Motivator
‎11-28-2021 11:12 PM

After lookup I have results (73 events)

But geostats when I a m going in visualisation tab, there is no map displayed

jip31_0-1638169748625.png

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-02-2021 12:19 AM

You have no results (Statistics (0)!) - what does the rest of your search actually look like?

0 Karma
Reply

jip31
Motivator
‎12-02-2021 01:54 AM

here is the search

index=tutu sourcetype=toto 
| search site=*agde* OR site=*nantes* OR site=*toulouse* 
| lookup gps4.csv site 
| geostats count(signaler_id) latfield=latitude longfield=longitude by site
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-02-2021 05:50 AM

If your examples are anything to go by your site is in lowercase whereas your lookup in is uppercase - either convert the site from the search to uppercase or make sure you have set up a case-insensitive lookup definition

0 Karma
Reply

jip31
Motivator
‎12-02-2021 07:52 AM

I have added an upper command but it changes anything

index=toto sourcetype=tutu
| search site=*agde* OR site=*nantes* OR site=*toulouse*
| eval site=upper(site)
| lookup gps4.csv site 
| geostats count(signaler_id) latfield=latitude longfield=longitude by site

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-02-2021 07:57 AM

The issue is probably with your events - if you don't share them, anonymised of course, it is very difficult to help you.

0 Karma
Reply

jip31
Motivator
‎12-02-2021 08:17 AM

Yes, but it's difficult to share events dont displayed....

The only thing I can say is that the site field in "gps.csv" is in Upper case

jip31_0-1638461753989.png

 

 

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-02-2021 08:20 AM

Previously, you said you had 73 events (prior to lookup?) - can you share some of them?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-29-2021 11:21 AM

I understand that you get some results. But what do they look like?

0 Karma
Reply

jip31
Motivator
‎12-07-2021 04:24 AM

Hi

I have explained it in the previous message

I cant share nothing interesting....

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...