Splunk Search

How to plot multiple coordinates from a CSV file on a Splunk map to embed in a dashboard?

qiaojing
Path Finder

Hi,

I'm trying to plot all carpark locations on the Splunk Map. I have a lookup CSV file with the following columns:

CPK_ID, Latitude, Longitude

I do not have the lat and lon data inside the Splunk environment, so I'm trying to match the CPK_ID in the CSV file with that in the event.

... | lookup cpk_coord_lookup NUM_CPK as NUM_CPK | geostats latfield=NUM_LATD longfield=NUM_LNGTD count

However, I'm unable to plot all the carpark locations on the Splunk Map.

Any idea what I can do? Eg using openstreetmap or Google maps? Eventually I would want to embed it into the normal Splunk dashboard.

Thank you very much! 🙂

0 Karma
1 Solution

MuS
Legend

Hi qiaojing,

if your lookup contains the following header CPK_ID, Latitude, Longitude you should use the Latitude, Longitude in the geostats command as well:

 ... | lookup cpk_coord_lookup NUM_CPK as NUM_CPK | geostats latfield=Latitude longfield=Longitude count by CPK_ID

As well check the event field name and the lookup field name for the carpark number as you use NUM_CPK but mention the lookup header CPK_ID.

There is no need for the above mentioned App, this was used in older Splunk releases to get mapping working.

Hope this helps ...

cheers, MuS

View solution in original post

MuS
Legend

Hi qiaojing,

if your lookup contains the following header CPK_ID, Latitude, Longitude you should use the Latitude, Longitude in the geostats command as well:

 ... | lookup cpk_coord_lookup NUM_CPK as NUM_CPK | geostats latfield=Latitude longfield=Longitude count by CPK_ID

As well check the event field name and the lookup field name for the carpark number as you use NUM_CPK but mention the lookup header CPK_ID.

There is no need for the above mentioned App, this was used in older Splunk releases to get mapping working.

Hope this helps ...

cheers, MuS

qiaojing
Path Finder

Hi thanks for your answer, sorry i just realised, the naming of the csv that i posted previously was wrong. It's supposed to be NUM_CPK, NUM_LATD, NUM_LNGTD.

I managed to plot the points onto Splunk Map. However, i realised something strange, the map shown in the search query (using Verbose Mode) has a lot more points (100+pts) plotted than the one i saved to dashboard (30pts). It seems like some points were not displayed after saving to dashboard.

Any idea why is this so?

0 Karma

MuS
Legend

look at the base search (everything before the first | ) used in the dashboard and try to re-use it.

0 Karma

qiaojing
Path Finder

sorry, what do you mean by re-using it?

My entire search is
sourcetype="UDBCUNIT.TF_PRKNG_MVMNT" | lookup cpk_coord_lookup NUM_CPK as NUM_CPK OUTPUT NUM_LNGTD, NUM_LATD | geostats latfield=NUM_LATD longfield=NUM_LNGTD maxzoomlevel=18 globallimit=0 count by NUM_CPK

0 Karma

MuS
Legend

You asked why it shows a different set of results.
If both searches are the same, check the time range used for the search or the dashboard. Not to forget the zoom level will also effect the number of shown results.

0 Karma

qiaojing
Path Finder

okay i will try again, thank you 🙂

0 Karma

splunkdevabhi
Explorer

Hi ,

You may try using Splunk Add-on for Google Maps
https://splunkbase.splunk.com/app/368/

0 Karma

qiaojing
Path Finder

But how do i put Google Maps inside the normal Splunk dashboard without Advanced XML?

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...