US state abbreviations to full state names - Choro...

corky42 · ‎12-15-2019

I have a field [Driver State] which contains all the US states in abbreviated format (MD = Maryland).
I want to generate a choropleth map from the data and currently have the search:

index=traffic sourcetype="csv" | stats count by "Driver State" | geom geo_us_states featureIdField="Driver State"

I cannot figure out how to get Splunk to read the abbreviations, unless it is something more obvious I am doing wrong.

Is there another part of the search I am missing, or do I need to convert all of the abbreviations to their full length names?

Any help is appreciated,
Thanks

to4kawa · ‎12-16-2019

| inputlookup geo_us_states

Hi, @corky42
check this results.

ISO_3166-2:US@wikipedia

It is necessary to create a CSV that associates abbreviations with names.

abbreviated,featureIdField
AL,Alabama
AK,Alaska
AZ,Arizona
AR,Arkansas
CA,California
CO,Colorado
.......

so,
UPDATED:

index=traffic sourcetype="csv" 
| stats count by "Driver State" 
| lookup your_country_csv abbreviated as "Driver State"  OUTPUT featureIdField
| geom geo_us_states

corky42 · ‎12-16-2019

This worked for the translation thank you! However, I didn't get any results for "geom" in the Statistics tab, changing featureIdField to featureId did populate the "geom" column, however no data is shown on the map after.
I did create a lookup definition for my abbreviation-to-state CSV.
So I'm closer but still not quite there.

to4kawa · ‎12-16-2019

sorry, my query is wrong, I fix it.

US state abbreviations to full state names - Choropleth map

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?