I'm trying to display coordinates on a Splunk Map and color code the points with different ranges of count values.
I managed to create the map with the default pie chart with the search string below, but it's using the default colors.
[base search] | lookup cpk_coord_lookup NUM_CPK as NUM_CPK OUTPUT NUM_LNGTD, NUM_LATD | geostats latfield=NUM_LATD longfield=NUM_LNGTD maxzoomlevel=18 globallimit=0 count by NUM_CPK
I also referred to a similar question:
and came out with a second code which is color coded, but each bubble is identified by the color category (eg greenCount) instead of the
[base search] | lookup cpk_coord_lookup NUM_CPK as NUM_CPK OUTPUT NUM_LNGTD, NUM_LATD | geostats latfield=NUM_LATD longfield=NUM_LNGTD maxzoomlevel=18 globallimit=0 count(NUM_CPK) as TOTAL | eval redCount = if(TOTAL >= 50000,TOTAL,0) | eval yellowCount = if((TOTAL >= 10000 AND TOTAL < 50000),TOTAL,0) | eval greenCount = if(TOTAL < 10000,TOTAL,0) | fields - TOTAL
I understand that the 2nd search string is not displaying the
NUM_CPK column because I didn't use the BY clause. However, if I use the BY clause (first search string), I won't be able to do conditional formatting on the points anymore.
Any idea how I can use the first search string and yet do conditional formatting? Any help will be greatly appreciated.
Thank you very much.
Have a look at this post:
If you're using Splunk 6.4 you can take advantage of other mapping visualization apps like:
@shaskell_splunk Hi, I have already referred to that post as mentioned above. The solution in that post is unable to display the CPK_NUM for me, it only displays the category of count as it doesnt have a by-clause after count.
I need to use the
count by CPK_NUM and at the same time do conditional formatting.
Unfortunately, I'm using v 6.2.1