Solved: Cluster Map doesnt show correct events

michel_wolf · ‎10-05-2017

Hello guys,

I have a problem with the "Cluster Map" so I have add a log 2 weeks ago and when I do a search about the last 6 weeks the "Cluster Map" shows me the right results, but if i lower the time range picker for example to the last 15 seconds where cant be any results, because I upload a static log and have no activ monitor on this file.

I got the same results which I had before I decrease the time range picker and the job inspector says to me there are no results in this time range.

This search has completed in 0.276 seconds, but did not match any events. The terms specified in the highlighted portion of the search:
search (source="otrs.log" remote_addr:) | rex field=remote_addr "(?\d+.\d+.\d+).\d+" | iplocation remote_addr | geostats count

over the time range: 10/5/17 4:33:27.000 PM - 10/5/17 4:33:42.000 PM

But I get this map:

If i extend the time pick ranger to "all time" and decrease it again to the last 15 seconds it will show me the results from the "all time" search, but if I decrease it to the last 6 weeks like in my sample picture I got the right results like above.
For me it looks like the visualisation dosnt change if I got zero events.

So I dont know if it is a bug in 6.6.3 and 7.0 or if something wrong with my search.

niketn · ‎10-05-2017

@michel_wolf, I think this is a known behavior which I had noticed even in Splunk 6.4. So this might have existed for a long time now. If you have valid Splunk Entitlement, you can open a BUG request for this (http://www.splunk.com/r/bugs).

Until it is resolved you can try the following alternative to use depends and rejectsattributes in Simple XML dashboard to hide map and show a custom message (using HTML Panel in Simple XML) instead.

Using <done> search event handler, default job token $job.resultCount$ is accessed to confirm whether the search resturened result or not. If no results returned then token $tokPlotDataOnMap$ is unset else it is set to true.

When $tokPlotDataOnMap$ is set the map is displayed using depends attribute and when it is unset, the Map is hidden and HTML Panel is displayed using rejects attribute.

<form>
  <label>Cluster Map Results and then No Results through filter</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime">
      <label></label>
      <default>
        <earliest>0</earliest>
        <latest></latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <map depends="$tokPlotDataOnMap$">
        <search>
          <query>source="access.log" host="NiketNilay-PC" sourcetype="access_combined_wcookie"
| stats count by clientip method
| iplocation clientip
| geostats latfield=lat longfield=lon sum(count) by method</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <condition match="$job.resultCount$==0">
              <unset token="tokPlotDataOnMap"></unset>              
            </condition>
            <condition>
              <set token="tokPlotDataOnMap">true</set>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
        <option name="mapping.choroplethLayer.colorBins">5</option>
        <option name="mapping.choroplethLayer.colorMode">auto</option>
        <option name="mapping.choroplethLayer.maximumColor">0xDB5800</option>
        <option name="mapping.choroplethLayer.minimumColor">0x2F25BA</option>
        <option name="mapping.choroplethLayer.neutralPoint">0</option>
        <option name="mapping.choroplethLayer.shapeOpacity">0.75</option>
        <option name="mapping.choroplethLayer.showBorder">1</option>
        <option name="mapping.data.maxClusters">100</option>
        <option name="mapping.legend.placement">bottomright</option>
        <option name="mapping.map.center">(0,0)</option>
        <option name="mapping.map.panning">1</option>
        <option name="mapping.map.scrollZoom">0</option>
        <option name="mapping.map.zoom">2</option>
        <option name="mapping.markerLayer.markerMaxSize">50</option>
        <option name="mapping.markerLayer.markerMinSize">10</option>
        <option name="mapping.markerLayer.markerOpacity">0.8</option>
        <option name="mapping.showTiles">1</option>
        <option name="mapping.tileLayer.maxZoom">7</option>
        <option name="mapping.tileLayer.minZoom">0</option>
        <option name="mapping.tileLayer.tileOpacity">1</option>
        <option name="mapping.type">marker</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </map>
      <html rejects="$tokPlotDataOnMap$">
        <div style="font-weight:bold;text-align:center;color:red;">No Results Found to plot on Map. Please select a wider date range</div>
      </html>
    </panel>
  </row>
</form>

PS: Above dashboard code is based on Splunk Tutorial Data for Buttercup Games, which is refreshed weekly at the following link: http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Systemrequirements#Download_the_tu...
Please following instructions to load the data first. I have loaded the same to Splunk's main (default) index.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎10-05-2017

@michel_wolf, I think this is a known behavior which I had noticed even in Splunk 6.4. So this might have existed for a long time now. If you have valid Splunk Entitlement, you can open a BUG request for this (http://www.splunk.com/r/bugs).

Until it is resolved you can try the following alternative to use depends and rejectsattributes in Simple XML dashboard to hide map and show a custom message (using HTML Panel in Simple XML) instead.

Using <done> search event handler, default job token $job.resultCount$ is accessed to confirm whether the search resturened result or not. If no results returned then token $tokPlotDataOnMap$ is unset else it is set to true.

When $tokPlotDataOnMap$ is set the map is displayed using depends attribute and when it is unset, the Map is hidden and HTML Panel is displayed using rejects attribute.

<form>
  <label>Cluster Map Results and then No Results through filter</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime">
      <label></label>
      <default>
        <earliest>0</earliest>
        <latest></latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <map depends="$tokPlotDataOnMap$">
        <search>
          <query>source="access.log" host="NiketNilay-PC" sourcetype="access_combined_wcookie"
| stats count by clientip method
| iplocation clientip
| geostats latfield=lat longfield=lon sum(count) by method</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <condition match="$job.resultCount$==0">
              <unset token="tokPlotDataOnMap"></unset>              
            </condition>
            <condition>
              <set token="tokPlotDataOnMap">true</set>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
        <option name="mapping.choroplethLayer.colorBins">5</option>
        <option name="mapping.choroplethLayer.colorMode">auto</option>
        <option name="mapping.choroplethLayer.maximumColor">0xDB5800</option>
        <option name="mapping.choroplethLayer.minimumColor">0x2F25BA</option>
        <option name="mapping.choroplethLayer.neutralPoint">0</option>
        <option name="mapping.choroplethLayer.shapeOpacity">0.75</option>
        <option name="mapping.choroplethLayer.showBorder">1</option>
        <option name="mapping.data.maxClusters">100</option>
        <option name="mapping.legend.placement">bottomright</option>
        <option name="mapping.map.center">(0,0)</option>
        <option name="mapping.map.panning">1</option>
        <option name="mapping.map.scrollZoom">0</option>
        <option name="mapping.map.zoom">2</option>
        <option name="mapping.markerLayer.markerMaxSize">50</option>
        <option name="mapping.markerLayer.markerMinSize">10</option>
        <option name="mapping.markerLayer.markerOpacity">0.8</option>
        <option name="mapping.showTiles">1</option>
        <option name="mapping.tileLayer.maxZoom">7</option>
        <option name="mapping.tileLayer.minZoom">0</option>
        <option name="mapping.tileLayer.tileOpacity">1</option>
        <option name="mapping.type">marker</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </map>
      <html rejects="$tokPlotDataOnMap$">
        <div style="font-weight:bold;text-align:center;color:red;">No Results Found to plot on Map. Please select a wider date range</div>
      </html>
    </panel>
  </row>
</form>

PS: Above dashboard code is based on Splunk Tutorial Data for Buttercup Games, which is refreshed weekly at the following link: http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Systemrequirements#Download_the_tu...
Please following instructions to load the data first. I have loaded the same to Splunk's main (default) index.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

ajitshukla61116 · ‎04-10-2019

could you please tell me How to resolve this issue?is there any patch available for the same

dsouza_home · ‎12-08-2021

the issue is still happening in the current version of splunk.

Solution for this that worked but is a pain - someone from another post.

click cancel

so now instead if the a blank right map , it all works click on japan and it can see the right map center and zoom to jp lat lon.

Cluster Map doesnt show correct events

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024