How to edit my choropleth map to show the value a ...

andrwbn · ‎01-19-2017

I have created a choropleth map, but the values on the map shown is "avg_duration". I want to have the value instead be "one". I think the problem might be because the "one" field was created through an eval. Any help is much appreciated, thanks!

sourcetype=apache host="*ucd"| 
transaction tip, sid startswith="ucd-web/start" endswith=(x="landingready")| 
geoip tip| 
stats avg(duration) by tip_country_name | 
rename avg(duration) as avg_duration |
join [search sourcetype=apache host="*ucd" | 
transaction tip, sid startswith="ucd-web/start" endswith=(x="landingready") | 
geoip tip | 
stats avg(duration) as "total_avg" ] | 
eval one=total_avg-avg_duration  |
geom geo_countries featureIdField=tip_country_name

DalJeanis · ‎01-20-2017

Current answer:

The map can only handle two values - in this case, you want tip_country_name and your "one", which is a delta_duration.

Add this code immediately before the last line in your query

table  tip_country_name one |
rename one as delta_duration |

Prior answer:

This would have worked, but the stats part is unnecessary overhead.

Try inserting this as the next-to-the-last line and see if the geom is picking what to display automagically from the last stats command it could see...

stats first(one) as delta_duration by tip_country_name |

I've used your standard of putting the pipe at the end.

How to edit my choropleth map to show the value a field created through an eval?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms