In the pic below, is there a way that you can display the country name in the pop up instead of the lat and long values?
EDIT1 trying to answer woodcocks comment below
The stats that feed the above pic look as follows: (it is taken from Splunk 6.x Dashboard Examples)
geobin latitude longitude GET POST bin_id_zl_0_y_3_x_2 -10.00000 -55.00000 8 6 bin_id_zl_0_y_4_x_1 19.43420 -99.13860 5 2 bin_id_zl_0_y_4_x_2 11.37778 -73.14076 12 6 bin_id_zl_0_y_4_x_5 16.67630 77.27630 12 7
The stats that feed the map I am working on looks like this: (but i get the same view with lat and long on the popup as above)
latitude longitude NumberofRegisteredSubscribers ks_countryname -25.274398 133.775136 1442 Australia 37.09024 -95.712891 662 United States
Similar questions here
Splunk 6.3 introduced Choropleth Maps as a new visualization type.
iplocation adds a
Country field, which you can use to show a metric on a Choropleth map. If you can't use
iplocation, you can resolve a latitude/longitude combination to find out which country the coordinate is located in. The tooltip then shows the country name when you hover over it.
For your data the search would look something like this:
IPs exist to use with
... | iplocation clientip | stats count as NumberofRegisteredSubscribers by Region | geom geo_countries featureIdField=Region
No IPs to use with
... | lookup geo_countries latitude longitude OUTPUT featureId AS ks_countryname | stats count as NumberofRegisteredSubscribers by ks_countryname | geom geo_countries featureIdField=ks_countryname
You can find more information on Choropleth Maps and Geospatial Indexes in the Splunk Docs for 6.3.
Here are 2 options, assuming
POST are in a field called
... | eval http_req = country . "-" . http_req | geostats latfield=Latitude longfield=Longitude count by http_req ... | append [|inputlookup countries_lat_long_int_code.csv| eval http_req = country ] | geostats latfield=Latitude longfield=Longitude count by http_req
you can concatenate the strings used in the
by clause of
geostats. I used something like this in a private app, showing new moon dates for places on the map:
| eval dates=NewMoon_starts." - ".NewMoon_ends | other splunk foo | geostats latfield=Latitude longfield=Longitude count by dates
and it shows like this:
Hope this helps ...
the lat and long values are in a lookup that looks like the following:
| inputlookup countries_lat_long_int_code.csv
code country latitude longitude name 376 AD 42.546245 1.601554 Andorra 971 AE 23.424076 53.847818 United Arab Emirates 93 AF 33.93911 67.709953 Afghanistan 355 AL 41.153332 20.168331 Albania 374 AM 40.069099 45.038189 Armenia
Based on this how would I achieve my original question