Splunk Search

Generate a choropleth map based on the states using geo_us_states

rohit_kothuru
New Member

I am trying to generate a Choropleth map to show the density of requests for each state in the US.

I am using the below query :

rex field=_raw ".*State -(?.*) for.*" | search searchState != null |stats count by searchState |geom geo_us_states featureIdField=searchState

searchState count featureCollection geom
California 2 geo_us_states

Connecticut 2 geo_us_states

The above is the output I am getting and not getting any results on the map visualization.
I don't see any issue in the job log as well. Can someone help me out in this.

(EDIT - I changed the code to be in "code" tags to make Answers not eat characters - Rich)

Tags (1)
0 Karma

Richfez
SplunkTrust
SplunkTrust

Interesting - where the field geom is specified, you should have a bunch of stuff, like ...

 {"type":"multipolygon", "coordinates": [[[[lots of numbers here ... LOTS of numbers here... 🙂 ... }

Can you try this run-anywhere search?

| makeresults | eval state="California" | stats count by state | geom geo_us_states featureIdField=state

When it runs, in your statistics tab you should have output like I describe above for California. In the visualizations tab you should see a US or world map, with California in light pink.

Let us know what you find!

0 Karma

rohit_kothuru
New Member

@rich7177

I ran the run-anywhere search and I am able to see California in light pink.

0 Karma

rohit_kothuru
New Member

@rich7177

It was a mistake from my side. The state was having spaces and because of this was not getting mapped.

If I run the query ( with geom geo_us_states ) I am getting the world map but I want only the map of US. Is there any way to achieve this?

0 Karma

Richfez
SplunkTrust
SplunkTrust

In the settings for the map, there's a way to set the default zoom level. If you get it zoomed in how you want, then set that, it should remember your settings.

0 Karma

rohit_kothuru
New Member

Correct query:

rex field=_raw ".State -(?.) for.*" | search searchState != null |stats count by searchState |geom geo_us_states featureIdField=searchState

0 Karma

Richfez
SplunkTrust
SplunkTrust

Oh and I see you did that too. Well, no harm done. 🙂

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...