Solved: How do i Map out data on Google Maps

nlfatin · ‎05-05-2013

Hi everyone, I am very new to splunk and im trying to map out some car park relevant data on Google Maps app but to no avail. Do I need to do any other configurations for it to work? I tried these searches:

Here is an example of my data output(xml):

http://datamall.mytransport.sg/LTAoDataService.svc/CarParkSet(24)

Orchard

Development: Orchard Central Lots: 157

2013-05-06T06:34:48Z

24/d:CarParkID

Orchard/d:Area

Orchard Central/d:Development

157/d:Lots

Development: Orchard Central Lots: 157/d:Summary

2013-05-06T06:32:07.9/d:CreateDate

1.300724/d:Latitude

103.839945/d:Longitude

0/d:Distance

/m:properties

Pls See the picture attached for the xml data (original)
Thank you in advance!

Nurul
(nurul27@live.com)

sdaniels · ‎05-06-2013

It appears as though using geonormalize command isn't working for you. You could do an eval on _geo and pipe it to a table to see if you are actually getting anything.

... | eval mygeo = _geo | table mygeo

Or try building the _geo field yourself as you see below:

Use existing geolocation information available in search results

It's common case that events already contain geo information.
The geonormalize command

The geonormalize command can detect existing fields containing the geoinformation and normalizes them for the GoogleMaps module. For doing this the command searches for field pairs (a latitude field and a longitude field) matching a name scheme. The values of those fields are then merged and emitted as the _geo field. The following name schemes are supported:

*lat/*lng
*lat/*lon
*latitude/*longitude

So for example when an event has the fields gps_lat=47.11 and gps_lon=0.815 the geonormalize command will detect those fields and emit the _geo field with the value 47.11,0.815.

Example:
sourcetype=device_tracking device_id=A47C08B13 | geonormalize
Manual building the _geo field

If you don't want to use the geonormalize command or if the location fields do not match any naming scheme, you can manually build the _geo field.

Example:
eventtype=phone_activation | eval _geo=phone_loc_1+","+phone_loc_2
(Assuming that phone_loc_1 contains the latitude and phone_loc_2 contains the longitude)

View solution in original post

sdaniels · ‎05-06-2013

It appears as though using geonormalize command isn't working for you. You could do an eval on _geo and pipe it to a table to see if you are actually getting anything.

... | eval mygeo = _geo | table mygeo

Or try building the _geo field yourself as you see below:

Use existing geolocation information available in search results

It's common case that events already contain geo information.
The geonormalize command

The geonormalize command can detect existing fields containing the geoinformation and normalizes them for the GoogleMaps module. For doing this the command searches for field pairs (a latitude field and a longitude field) matching a name scheme. The values of those fields are then merged and emitted as the _geo field. The following name schemes are supported:

*lat/*lng
*lat/*lon
*latitude/*longitude

So for example when an event has the fields gps_lat=47.11 and gps_lon=0.815 the geonormalize command will detect those fields and emit the _geo field with the value 47.11,0.815.

Example:
sourcetype=device_tracking device_id=A47C08B13 | geonormalize
Manual building the _geo field

If you don't want to use the geonormalize command or if the location fields do not match any naming scheme, you can manually build the _geo field.

Example:
eventtype=phone_activation | eval _geo=phone_loc_1+","+phone_loc_2
(Assuming that phone_loc_1 contains the latitude and phone_loc_2 contains the longitude)

How do i Map out data on Google Maps

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024