Splunk Search

How to disable location clustering of results on a map generated by the geostats command in Splunk 6.1?

Explorer

I have a geostats map in version 6.1 and I want to force it to NOT use clustering. I want to see an indicator for each of my locations and not have them grouped. Has anyone accomplished this or do you know how it can be done? Thank you.

Tags (3)
1 Solution

Splunk Employee
Splunk Employee

I would recommend trying the optional geostats argument maxzoomlevel :

As an example: index=example | geostats maxzoomlevel=15 count by host .

Jacob
Sr. Technical Support Engineer

View solution in original post

Esteemed Legend

The accepted answer only fences the zoom, the way to do what was actually asked is like this:

... | geostats binspanlat=1 binspanlong=1 ....

Explorer

Thanks this works better for me than the previous answer!

Esteemed Legend

You might consider switching the Accepted answer so that other people will get the best answer.

0 Karma

Contributor

The temporary solution was to reduce the cluster size so that the clusters don't merge and also fixing the minimum and maximum zoom levels. I have limited locations on the map so i used the temporary solution. Below are the options which i played around.

  option name="charting.chart.bubbleMaximumSize" 50 /option
    option name="charting.chart.bubbleMinimumSize" 10 /option
0 Karma

Splunk Employee
Splunk Employee

I would recommend trying the optional geostats argument maxzoomlevel :

As an example: index=example | geostats maxzoomlevel=15 count by host .

Jacob
Sr. Technical Support Engineer

View solution in original post

Esteemed Legend

See my unaccepted answer below for the correct setting to use for this.

New Member

Thank you!! This works perfectly now 🙂

0 Karma

Communicator

THANK YOU.

I read before the maxzoomlevel argument, but I never used it because I understood that was like the tile > maxzoomlevel option of the GUI. I tried right now, and it worked.

For me, this is the answer that I wanted.

Thank you again.

0 Karma

Contributor

You can avoid clustering by increasing the maximum number of clusters, below I have given maximum clusters as 999. You can increase the values further if you want. keep increasing the maximum cluster values until you get satisfactory result.But splunk recommends us to keep the value as "100" for maximum performance.

option name="mapping.data.maxClusters">900

Communicator

I guess that the "problem" is relative to the maximum zoom level used by geostats. The levels are between 0 and 9. If I use opestreetmaps I get more zoom levels, but geostats represent the data always with the basic zoom levels (0-9). If geostats choose that in level 9 two or more locations will be together, I can't say "don't do it" even if I use the option name="mapping.data.maxClusters" in xml.

Well... any suggestions, please?

Regards.

0 Karma

Engager

I am running into this same problem, in that I am trying to plot points on a map, but even though OpenStreetMaps allows me to zoom down to the building level, my points plotted over the span of a few blocks always wind up being aggregated together. Any ideas on how to fix this?

Communicator

Hi there.

I have the same problem, but in 6.2.3. I tried the mapping.data.maxCluesters option, but I don't get any difference. I read the docs, but I don't find answers. Any suggestions?

Regards.

0 Karma