Splunk Search

Cluster Map doesnt show correct events

michel_wolf
Path Finder

Hello guys,

I have a problem with the "Cluster Map" so I have add a log 2 weeks ago and when I do a search about the last 6 weeks the "Cluster Map" shows me the right results, but if i lower the time range picker for example to the last 15 seconds where cant be any results, because I upload a static log and have no activ monitor on this file.

I got the same results which I had before I decrease the time range picker and the job inspector says to me there are no results in this time range.

This search has completed in 0.276 seconds, but did not match any events. The terms specified in the highlighted portion of the search:
search (source="otrs.log" remote_addr:) | rex field=remote_addr "(?\d+.\d+.\d+).\d+" | iplocation remote_addr | geostats count

over the time range: 10/5/17 4:33:27.000 PM - 10/5/17 4:33:42.000 PM

But I get this map:

alt text

If i extend the time pick ranger to "all time" and decrease it again to the last 15 seconds it will show me the results from the "all time" search, but if I decrease it to the last 6 weeks like in my sample picture I got the right results like above.
For me it looks like the visualisation dosnt change if I got zero events.

So I dont know if it is a bug in 6.6.3 and 7.0 or if something wrong with my search.

Tags (1)
1 Solution

niketn
Legend

@michel_wolf, I think this is a known behavior which I had noticed even in Splunk 6.4. So this might have existed for a long time now. If you have valid Splunk Entitlement, you can open a BUG request for this (http://www.splunk.com/r/bugs).

Until it is resolved you can try the following alternative to use depends and rejectsattributes in Simple XML dashboard to hide map and show a custom message (using HTML Panel in Simple XML) instead.

alt text

Using <done> search event handler, default job token $job.resultCount$ is accessed to confirm whether the search resturened result or not. If no results returned then token $tokPlotDataOnMap$ is unset else it is set to true.

When $tokPlotDataOnMap$ is set the map is displayed using depends attribute and when it is unset, the Map is hidden and HTML Panel is displayed using rejects attribute.

<form>
  <label>Cluster Map Results and then No Results through filter</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime">
      <label></label>
      <default>
        <earliest>0</earliest>
        <latest></latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <map depends="$tokPlotDataOnMap$">
        <search>
          <query>source="access.log" host="NiketNilay-PC" sourcetype="access_combined_wcookie"
| stats count by clientip method
| iplocation clientip
| geostats latfield=lat longfield=lon sum(count) by method</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <condition match="$job.resultCount$==0">
              <unset token="tokPlotDataOnMap"></unset>              
            </condition>
            <condition>
              <set token="tokPlotDataOnMap">true</set>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
        <option name="mapping.choroplethLayer.colorBins">5</option>
        <option name="mapping.choroplethLayer.colorMode">auto</option>
        <option name="mapping.choroplethLayer.maximumColor">0xDB5800</option>
        <option name="mapping.choroplethLayer.minimumColor">0x2F25BA</option>
        <option name="mapping.choroplethLayer.neutralPoint">0</option>
        <option name="mapping.choroplethLayer.shapeOpacity">0.75</option>
        <option name="mapping.choroplethLayer.showBorder">1</option>
        <option name="mapping.data.maxClusters">100</option>
        <option name="mapping.legend.placement">bottomright</option>
        <option name="mapping.map.center">(0,0)</option>
        <option name="mapping.map.panning">1</option>
        <option name="mapping.map.scrollZoom">0</option>
        <option name="mapping.map.zoom">2</option>
        <option name="mapping.markerLayer.markerMaxSize">50</option>
        <option name="mapping.markerLayer.markerMinSize">10</option>
        <option name="mapping.markerLayer.markerOpacity">0.8</option>
        <option name="mapping.showTiles">1</option>
        <option name="mapping.tileLayer.maxZoom">7</option>
        <option name="mapping.tileLayer.minZoom">0</option>
        <option name="mapping.tileLayer.tileOpacity">1</option>
        <option name="mapping.type">marker</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </map>
      <html rejects="$tokPlotDataOnMap$">
        <div style="font-weight:bold;text-align:center;color:red;">No Results Found to plot on Map. Please select a wider date range</div>
      </html>
    </panel>
  </row>
</form>

PS: Above dashboard code is based on Splunk Tutorial Data for Buttercup Games, which is refreshed weekly at the following link: http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Systemrequirements#Download_the_tu...
Please following instructions to load the data first. I have loaded the same to Splunk's main (default) index.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@michel_wolf, I think this is a known behavior which I had noticed even in Splunk 6.4. So this might have existed for a long time now. If you have valid Splunk Entitlement, you can open a BUG request for this (http://www.splunk.com/r/bugs).

Until it is resolved you can try the following alternative to use depends and rejectsattributes in Simple XML dashboard to hide map and show a custom message (using HTML Panel in Simple XML) instead.

alt text

Using <done> search event handler, default job token $job.resultCount$ is accessed to confirm whether the search resturened result or not. If no results returned then token $tokPlotDataOnMap$ is unset else it is set to true.

When $tokPlotDataOnMap$ is set the map is displayed using depends attribute and when it is unset, the Map is hidden and HTML Panel is displayed using rejects attribute.

<form>
  <label>Cluster Map Results and then No Results through filter</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime">
      <label></label>
      <default>
        <earliest>0</earliest>
        <latest></latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <map depends="$tokPlotDataOnMap$">
        <search>
          <query>source="access.log" host="NiketNilay-PC" sourcetype="access_combined_wcookie"
| stats count by clientip method
| iplocation clientip
| geostats latfield=lat longfield=lon sum(count) by method</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <condition match="$job.resultCount$==0">
              <unset token="tokPlotDataOnMap"></unset>              
            </condition>
            <condition>
              <set token="tokPlotDataOnMap">true</set>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
        <option name="mapping.choroplethLayer.colorBins">5</option>
        <option name="mapping.choroplethLayer.colorMode">auto</option>
        <option name="mapping.choroplethLayer.maximumColor">0xDB5800</option>
        <option name="mapping.choroplethLayer.minimumColor">0x2F25BA</option>
        <option name="mapping.choroplethLayer.neutralPoint">0</option>
        <option name="mapping.choroplethLayer.shapeOpacity">0.75</option>
        <option name="mapping.choroplethLayer.showBorder">1</option>
        <option name="mapping.data.maxClusters">100</option>
        <option name="mapping.legend.placement">bottomright</option>
        <option name="mapping.map.center">(0,0)</option>
        <option name="mapping.map.panning">1</option>
        <option name="mapping.map.scrollZoom">0</option>
        <option name="mapping.map.zoom">2</option>
        <option name="mapping.markerLayer.markerMaxSize">50</option>
        <option name="mapping.markerLayer.markerMinSize">10</option>
        <option name="mapping.markerLayer.markerOpacity">0.8</option>
        <option name="mapping.showTiles">1</option>
        <option name="mapping.tileLayer.maxZoom">7</option>
        <option name="mapping.tileLayer.minZoom">0</option>
        <option name="mapping.tileLayer.tileOpacity">1</option>
        <option name="mapping.type">marker</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </map>
      <html rejects="$tokPlotDataOnMap$">
        <div style="font-weight:bold;text-align:center;color:red;">No Results Found to plot on Map. Please select a wider date range</div>
      </html>
    </panel>
  </row>
</form>

PS: Above dashboard code is based on Splunk Tutorial Data for Buttercup Games, which is refreshed weekly at the following link: http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Systemrequirements#Download_the_tu...
Please following instructions to load the data first. I have loaded the same to Splunk's main (default) index.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

ajitshukla61116
Path Finder

could you please tell me How to resolve this issue?is there any patch available for the same

0 Karma

dsouza_home
Explorer

the issue is still happening in the current version of splunk. 

<option name="mapping.map.center">($lat$,$lon$)</option> 

Solution for this that worked but is a pain - someone from another post.

dsouza_home_1-1639027605798.png

click cancel 

dsouza_home_0-1639027566967.png

 

so now instead if the a blank right map , it all works click on japan and it can see the right map center and zoom to jp lat lon. 

dsouza_home_2-1639027751253.png

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...