Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to customize legend on choropleth map?

dgoamaral
Engager
‎09-13-2020 09:38 PM

Hello folks,

Please help me figure out how to customize the legend values of my choropleth map. I'd like to get the average logon duration of each device and then have a choropleth map (which is working based on country) and set legend green if avg_logon_duration was equal or lower than 10; yellow if it was between 11 and 20 and red if greater or equal to 21.

Here is my current table structure:

countrydevicelogon_duration
BrazilXYZ0121.05
USAABC0116.99
GermanyFE-015.75
IndiaMUM0110.00

 

I've already tried to use rangemap and also editing XML with mapping.fieldColors ({"green":0xFF0000,"yellow":0xFFFF00,"red":0x00FF00}) which I found in another article, but it did not work.

Here is my last code:

 

 

 

| stats avg(logon_duration) as avg_logon_duration by CountryName
| geom geo_countries featureIdField=CountryName 
| rangemap field=avg_logon_duration green=0-10 yellow=11-20 red=21-99 default=white

 

 

 

The closest I got so far was using mapping.seriesColors with colors array [0xFF0000,0xFFFF00,0x00FF00], but it completely ignores the categorical values I choose on the choropleth map.

Any help would be really appreciated.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-13-2020 10:48 PM

See this example dashboard using your example data

<dashboard>
  <label>Test</label>
  <row>
    <panel>
      <map>
        <search>
          <query>| makeresults
| eval _raw="country,device,logon_duration
Brazil,XYZ01,21.05
United States,ABC01,16.99
Germany,FE-01,5.75
India,MUM01,10.00"
| multikv forceheader=1
| eval CountryName=country
| rangemap field=logon_duration green=0-10 yellow=11-20 red=21-99 default=white
| fields CountryName range
| sort range
| geom geo_countries featureIdField=CountryName
          </query>
          <earliest>0</earliest>
        </search>
        <option name="drilldown">all</option>
        <option name="height">600</option>
        <option name="mapping.choroplethLayer.colorBins">4</option>
        <option name="mapping.choroplethLayer.colorMode">auto</option>
        <option name="mapping.choroplethLayer.minimumColor">0x53a051</option>
        <option name="mapping.choroplethLayer.neutralPoint">50</option>
        <option name="mapping.choroplethLayer.shapeOpacity">0.85</option>
        <option name="mapping.map.center">(17.98,4.57)</option>
        <option name="mapping.map.zoom">2</option>
        <option name="mapping.seriesColors">[0x00FF00, 0xFF0000, 0xFFFF00, 0x000000 ]</option>
        <option name="mapping.tileLayer.maxZoom">19</option>
        <option name="mapping.tileLayer.tileOpacity">0.7</option>
        <option name="mapping.tileLayer.url">http://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png</option>
        <option name="mapping.type">choropleth</option>
      </map>
    </panel>
  </row>
</dashboard>

The seriesColors will reflect the SORTED values of the range field, so G R Y W for your colours reflect the ordering of the colours in that setting. Note if you do not do the 'sort range' it will change the colours.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-13-2020 10:48 PM

See this example dashboard using your example data

<dashboard>
  <label>Test</label>
  <row>
    <panel>
      <map>
        <search>
          <query>| makeresults
| eval _raw="country,device,logon_duration
Brazil,XYZ01,21.05
United States,ABC01,16.99
Germany,FE-01,5.75
India,MUM01,10.00"
| multikv forceheader=1
| eval CountryName=country
| rangemap field=logon_duration green=0-10 yellow=11-20 red=21-99 default=white
| fields CountryName range
| sort range
| geom geo_countries featureIdField=CountryName
          </query>
          <earliest>0</earliest>
        </search>
        <option name="drilldown">all</option>
        <option name="height">600</option>
        <option name="mapping.choroplethLayer.colorBins">4</option>
        <option name="mapping.choroplethLayer.colorMode">auto</option>
        <option name="mapping.choroplethLayer.minimumColor">0x53a051</option>
        <option name="mapping.choroplethLayer.neutralPoint">50</option>
        <option name="mapping.choroplethLayer.shapeOpacity">0.85</option>
        <option name="mapping.map.center">(17.98,4.57)</option>
        <option name="mapping.map.zoom">2</option>
        <option name="mapping.seriesColors">[0x00FF00, 0xFF0000, 0xFFFF00, 0x000000 ]</option>
        <option name="mapping.tileLayer.maxZoom">19</option>
        <option name="mapping.tileLayer.tileOpacity">0.7</option>
        <option name="mapping.tileLayer.url">http://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png</option>
        <option name="mapping.type">choropleth</option>
      </map>
    </panel>
  </row>
</dashboard>

The seriesColors will reflect the SORTED values of the range field, so G R Y W for your colours reflect the ordering of the colours in that setting. Note if you do not do the 'sort range' it will change the colours.

 

0 Karma
Reply
Solved! Jump to solution

dgoamaral
Engager
‎09-14-2020 09:28 AM

That works! Thanks a lot! 

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...