Splunk Search

How to do conditional formatting with geostats to color code points on a Splunk map with different ranges of count values?

Path Finder

Hi

I'm trying to display coordinates on a Splunk Map and color code the points with different ranges of count values.

I managed to create the map with the default pie chart with the search string below, but it's using the default colors.

[base search] | lookup cpk_coord_lookup NUM_CPK as NUM_CPK OUTPUT NUM_LNGTD, NUM_LATD | geostats latfield=NUM_LATD longfield=NUM_LNGTD maxzoomlevel=18 globallimit=0 count by NUM_CPK

I also referred to a similar question:
https://answers.splunk.com/answers/221348/geostats-display-bubbles-on-map-instead-of-pie-cha.html
and came out with a second code which is color coded, but each bubble is identified by the color category (eg greenCount) instead of the NUM_CPK (ID).

[base search] | lookup cpk_coord_lookup NUM_CPK as NUM_CPK OUTPUT NUM_LNGTD, NUM_LATD | geostats latfield=NUM_LATD longfield=NUM_LNGTD maxzoomlevel=18 globallimit=0 count(NUM_CPK) as TOTAL | eval redCount = if(TOTAL >= 50000,TOTAL,0) | eval yellowCount = if((TOTAL >= 10000 AND TOTAL < 50000),TOTAL,0) | eval greenCount = if(TOTAL < 10000,TOTAL,0) | fields - TOTAL

I understand that the 2nd search string is not displaying the NUM_CPK column because I didn't use the BY clause. However, if I use the BY clause (first search string), I won't be able to do conditional formatting on the points anymore.

Any idea how I can use the first search string and yet do conditional formatting? Any help will be greatly appreciated.

Thank you very much.

0 Karma

Splunk Employee
Splunk Employee

Have a look at this post:

https://answers.splunk.com/answers/221348/geostats-display-bubbles-on-map-instead-of-pie-cha.html

If you're using Splunk 6.4 you can take advantage of other mapping visualization apps like:

Clustered Single Value Map Visualization

Custom Cluster Map Visualization

0 Karma

Path Finder

@shaskell_splunk Hi, I have already referred to that post as mentioned above. The solution in that post is unable to display the CPK_NUM for me, it only displays the category of count as it doesnt have a by-clause after count.

I need to use the count by CPK_NUM and at the same time do conditional formatting.

Unfortunately, I'm using v 6.2.1

0 Karma

Engager

I have the same problem

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!