Splunk Search

Generate a choropleth map based on the states using geo_us_states

rohit_kothuru
New Member

I am trying to generate a Choropleth map to show the density of requests for each state in the US.

I am using the below query :

rex field=_raw ".*State -(?.*) for.*" | search searchState != null |stats count by searchState |geom geo_us_states featureIdField=searchState

searchState count featureCollection geom
California 2 geo_us_states

Connecticut 2 geo_us_states

The above is the output I am getting and not getting any results on the map visualization.
I don't see any issue in the job log as well. Can someone help me out in this.

(EDIT - I changed the code to be in "code" tags to make Answers not eat characters - Rich)

Tags (1)
0 Karma

Richfez
SplunkTrust
SplunkTrust

Interesting - where the field geom is specified, you should have a bunch of stuff, like ...

 {"type":"multipolygon", "coordinates": [[[[lots of numbers here ... LOTS of numbers here... 🙂 ... }

Can you try this run-anywhere search?

| makeresults | eval state="California" | stats count by state | geom geo_us_states featureIdField=state

When it runs, in your statistics tab you should have output like I describe above for California. In the visualizations tab you should see a US or world map, with California in light pink.

Let us know what you find!

0 Karma

rohit_kothuru
New Member

@rich7177

I ran the run-anywhere search and I am able to see California in light pink.

0 Karma

rohit_kothuru
New Member

@rich7177

It was a mistake from my side. The state was having spaces and because of this was not getting mapped.

If I run the query ( with geom geo_us_states ) I am getting the world map but I want only the map of US. Is there any way to achieve this?

0 Karma

Richfez
SplunkTrust
SplunkTrust

In the settings for the map, there's a way to set the default zoom level. If you get it zoomed in how you want, then set that, it should remember your settings.

0 Karma

rohit_kothuru
New Member

Correct query:

rex field=_raw ".State -(?.) for.*" | search searchState != null |stats count by searchState |geom geo_us_states featureIdField=searchState

0 Karma

Richfez
SplunkTrust
SplunkTrust

Oh and I see you did that too. Well, no harm done. 🙂

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...