I have a field [Driver State] which contains all the US states in abbreviated format (MD = Maryland).
I want to generate a choropleth map from the data and currently have the search:
index=traffic sourcetype="csv" | stats count by "Driver State" | geom geo_us_states featureIdField="Driver State"
I cannot figure out how to get Splunk to read the abbreviations, unless it is something more obvious I am doing wrong.
Is there another part of the search I am missing, or do I need to convert all of the abbreviations to their full length names?
Any help is appreciated,
| inputlookup geo_us_states
check this results.
It is necessary to create a CSV that associates abbreviations with names.
abbreviated,featureIdField AL,Alabama AK,Alaska AZ,Arizona AR,Arkansas CA,California CO,Colorado .......
index=traffic sourcetype="csv" | stats count by "Driver State" | lookup your_country_csv abbreviated as "Driver State" OUTPUT featureIdField | geom geo_us_states
This worked for the translation thank you! However, I didn't get any results for "geom" in the Statistics tab, changing featureIdField to featureId did populate the "geom" column, however no data is shown on the map after.
I did create a lookup definition for my abbreviation-to-state CSV.
So I'm closer but still not quite there.