Splunk Search

US state abbreviations to full state names - Choropleth map

corky42
Engager

I have a field [Driver State] which contains all the US states in abbreviated format (MD = Maryland).
I want to generate a choropleth map from the data and currently have the search:

index=traffic sourcetype="csv" | stats count by "Driver State" | geom geo_us_states featureIdField="Driver State"

I cannot figure out how to get Splunk to read the abbreviations, unless it is something more obvious I am doing wrong.

Is there another part of the search I am missing, or do I need to convert all of the abbreviations to their full length names?

Any help is appreciated,
Thanks

0 Karma

to4kawa
Ultra Champion
| inputlookup geo_us_states

Hi, @corky42
check this results.

ISO_3166-2:US@wikipedia

It is necessary to create a CSV that associates abbreviations with names.

abbreviated,featureIdField
AL,Alabama
AK,Alaska
AZ,Arizona
AR,Arkansas
CA,California
CO,Colorado
.......

so,
UPDATED:

index=traffic sourcetype="csv" 
| stats count by "Driver State" 
| lookup your_country_csv abbreviated as "Driver State"  OUTPUT featureIdField
| geom geo_us_states 

corky42
Engager

This worked for the translation thank you! However, I didn't get any results for "geom" in the Statistics tab, changing featureIdField to featureId did populate the "geom" column, however no data is shown on the map after.
I did create a lookup definition for my abbreviation-to-state CSV.
So I'm closer but still not quite there.

0 Karma

to4kawa
Ultra Champion

sorry, my query is wrong, I fix it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...