Splunk Search

How do i Map out data on Google Maps

nlfatin
New Member

Hi everyone, I am very new to splunk and im trying to map out some car park relevant data on Google Maps app but to no avail. Do I need to do any other configurations for it to work? I tried these searches:

sourcetype="ltaCarpark" | head 25 | rename entry.content.m:properties.d:Latitude As latitude | rename entry.content.m:properties.d:Longitude As longitude | rename entry.content.m:properties.d:Lots As lots | geonormalize | eval _geo_count=lots

Here is an example of my data output(xml):


http://datamall.mytransport.sg/LTAoDataService.svc/CarParkSet(24)

Orchard

Development: Orchard Central Lots: 157

2013-05-06T06:34:48Z















24/d:CarParkID

Orchard/d:Area

Orchard Central/d:Development

157/d:Lots

Development: Orchard Central Lots: 157/d:Summary

2013-05-06T06:32:07.9/d:CreateDate

1.300724/d:Latitude

103.839945/d:Longitude

0/d:Distance

/m:properties



Pls See the picture attached for the xml data (original)alt text
Thank you in advance!

Nurul
(nurul27@live.com)

0 Karma
1 Solution

sdaniels
Splunk Employee
Splunk Employee

It appears as though using geonormalize command isn't working for you. You could do an eval on _geo and pipe it to a table to see if you are actually getting anything.

... | eval mygeo = _geo | table mygeo

Or try building the _geo field yourself as you see below:

Use existing geolocation information available in search results

It's common case that events already contain geo information.
The geonormalize command

The geonormalize command can detect existing fields containing the geoinformation and normalizes them for the GoogleMaps module. For doing this the command searches for field pairs (a latitude field and a longitude field) matching a name scheme. The values of those fields are then merged and emitted as the _geo field. The following name schemes are supported:

*lat/*lng
*lat/*lon
*latitude/*longitude

So for example when an event has the fields gps_lat=47.11 and gps_lon=0.815 the geonormalize command will detect those fields and emit the _geo field with the value 47.11,0.815.

Example:
sourcetype=device_tracking device_id=A47C08B13 | geonormalize
Manual building the _geo field

If you don't want to use the geonormalize command or if the location fields do not match any naming scheme, you can manually build the _geo field.

Example:
eventtype=phone_activation | eval _geo=phone_loc_1+","+phone_loc_2
(Assuming that phone_loc_1 contains the latitude and phone_loc_2 contains the longitude)

View solution in original post

0 Karma

sdaniels
Splunk Employee
Splunk Employee

It appears as though using geonormalize command isn't working for you. You could do an eval on _geo and pipe it to a table to see if you are actually getting anything.

... | eval mygeo = _geo | table mygeo

Or try building the _geo field yourself as you see below:

Use existing geolocation information available in search results

It's common case that events already contain geo information.
The geonormalize command

The geonormalize command can detect existing fields containing the geoinformation and normalizes them for the GoogleMaps module. For doing this the command searches for field pairs (a latitude field and a longitude field) matching a name scheme. The values of those fields are then merged and emitted as the _geo field. The following name schemes are supported:

*lat/*lng
*lat/*lon
*latitude/*longitude

So for example when an event has the fields gps_lat=47.11 and gps_lon=0.815 the geonormalize command will detect those fields and emit the _geo field with the value 47.11,0.815.

Example:
sourcetype=device_tracking device_id=A47C08B13 | geonormalize
Manual building the _geo field

If you don't want to use the geonormalize command or if the location fields do not match any naming scheme, you can manually build the _geo field.

Example:
eventtype=phone_activation | eval _geo=phone_loc_1+","+phone_loc_2
(Assuming that phone_loc_1 contains the latitude and phone_loc_2 contains the longitude)

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...