In the pic below, is there a way that you can display the country name in the pop up instead of the lat and long values?
EDIT1 trying to answer woodcocks comment below
The stats that feed the above pic look as follows: (it is taken from Splunk 6.x Dashboard Examples)
geobin latitude longitude GET POST
bin_id_zl_0_y_3_x_2 -10.00000 -55.00000 8 6
bin_id_zl_0_y_4_x_1 19.43420 -99.13860 5 2
bin_id_zl_0_y_4_x_2 11.37778 -73.14076 12 6
bin_id_zl_0_y_4_x_5 16.67630 77.27630 12 7
The stats that feed the map I am working on looks like this: (but i get the same view with lat and long on the popup as above)
latitude longitude NumberofRegisteredSubscribers ks_countryname
-25.274398 133.775136 1442 Australia
37.09024 -95.712891 662 United States
Similar questions here
http://answers.splunk.com/answers/129281/map-geostats-display-city-instead-of-latitude-and-longitude...
https://answers.splunk.com/answers/302088/splunk-625-label-the-maps-popup.html
Splunk 6.3 introduced Choropleth Maps as a new visualization type. iplocation
adds a Country
field, which you can use to show a metric on a Choropleth map. If you can't use iplocation
, you can resolve a latitude/longitude combination to find out which country the coordinate is located in. The tooltip then shows the country name when you hover over it.
For your data the search would look something like this:
IPs exist to use with iplocation
...
| iplocation clientip
| stats count as NumberofRegisteredSubscribers by Region
| geom geo_countries featureIdField=Region
No IPs to use with iplocation
...
| lookup geo_countries latitude longitude OUTPUT featureId AS ks_countryname
| stats count as NumberofRegisteredSubscribers by ks_countryname
| geom geo_countries featureIdField=ks_countryname
You can find more information on Choropleth Maps and Geospatial Indexes in the Splunk Docs for 6.3.
Here are 2 options, assuming GET
and POST
are in a field called http_req
:
... | eval http_req = country . "-" . http_req | geostats latfield=Latitude longfield=Longitude count by http_req
... | append [|inputlookup countries_lat_long_int_code.csv| eval http_req = country ] | geostats latfield=Latitude longfield=Longitude count by http_req
Hi HattrickNZ,
you can concatenate the strings used in the by
clause of geostats
. I used something like this in a private app, showing new moon dates for places on the map:
| eval dates=NewMoon_starts." - ".NewMoon_ends
| other splunk foo
| geostats latfield=Latitude longfield=Longitude count by dates
and it shows like this:
Hope this helps ...
cheers, MuS
You need to tell us what is generating the latitude and longitude values. Usually this system/DB/lookup is the one that maps to country. Are you using iplocation
or something else?
the lat and long values are in a lookup that looks like the following:
| inputlookup countries_lat_long_int_code.csv
code country latitude longitude name
376 AD 42.546245 1.601554 Andorra
971 AE 23.424076 53.847818 United Arab Emirates
93 AF 33.93911 67.709953 Afghanistan
355 AL 41.153332 20.168331 Albania
374 AM 40.069099 45.038189 Armenia
Based on this how would I achieve my original question