- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Lookup based range of latitude and longitude
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lookup based range of latitude and longitude
Hi
I'm looking for a sample search that calculates count of events which match within 500m radius of lat/long on lookup table.
Sample events:
2017/02/02 10:00:01 event_id="1" latitude="34.49293" longitude="132.399270"
Lookup sample "MASTER" for location (CSV):
shop,address,latitude,longitude
AAA,563 2nd St,34.492109,132.399582
BBB,201 3rd St,34.395424,132.488734
Expected output table:
shop,address,latitude,longitude,event match count
AAA,563 2nd St,34.492109,132.399582,1
BBB,201 3rd St,34.395424,132.488734,0
I tried and could create the following search that find events within 500m radius of lat/long on lookup table.
sourcetype=hoge [| inputlookup MASTER.csv | eval w_lng = longitude - (500 / 30.8184*0.000277778) | eval w_lat = latitude - (500 / 25.2450*0.000277778) | eval e_lng = longitude + (500 / 30.8184*0.000277778) | eval e_lat = latitude + (500 / 25.2450*0.000277778) | table shop_name address longitude latitude w_lng w_lat e_lng e_lat | eval search = "(longitude >= " . w_lng ." AND latitude >= " . w_lat . ") AND (longitude <= " . e_lng ." AND latitude <= " . e_lat . ")" | fields search]
But I'm not sure how to create the expected output table.
Any sample search would be really appreciated..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How dense is the data? That is, are the events likely to be within 500 miles of a high percentage of the locations, or just a few of them?
How many locations are on your lookup table? Presumably, the list of locations is much smaller than the list of event locations.
So, one possible solution would be to think in terms of "regions". Let's say that your latitude and longitude for the event, for lookup purposes, will be rounded to the nearest 1 degree, or 3 degree, or 5 degree point.
At the 5-degree level, latitude="34.49293" and longitude="132.399270" would go to lookupLatLong="35,130"
Now, on your lookup location table, you create a multivalue field for each location that has all the lookupLatLong values that might have a point within 500 miles of the location.
This way, a single lookup returns all candidate locations that MIGHT be within 500 miles. Then you use an accurate calculation to estimate the distance more closely, for example the spherical law of cosines -
=ACOS( SIN(lat1)*SIN(lat2) + COS(lat1)*COS(lat2)*COS(lon2-lon1) ) * 3962
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for misleading sentence. I mean that 500m is 500 meters (0.3 miles)
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
