Splunk Search
Highlighted

US state abbreviations to full state names - Choropleth map

Engager

I have a field [Driver State] which contains all the US states in abbreviated format (MD = Maryland).
I want to generate a choropleth map from the data and currently have the search:

index=traffic sourcetype="csv" | stats count by "Driver State" | geom geousstates featureIdField="Driver State"

I cannot figure out how to get Splunk to read the abbreviations, unless it is something more obvious I am doing wrong.

Is there another part of the search I am missing, or do I need to convert all of the abbreviations to their full length names?

Any help is appreciated,
Thanks

0 Karma
Highlighted

Re: US state abbreviations to full state names - Choropleth map

Ultra Champion
| inputlookup geo_us_states

Hi, @corky42
check this results.

ISO_3166-2:US@wikipedia

It is necessary to create a CSV that associates abbreviations with names.

abbreviated,featureIdField
AL,Alabama
AK,Alaska
AZ,Arizona
AR,Arkansas
CA,California
CO,Colorado
.......

so,
UPDATED:

index=traffic sourcetype="csv" 
| stats count by "Driver State" 
| lookup your_country_csv abbreviated as "Driver State"  OUTPUT featureIdField
| geom geo_us_states 
Highlighted

Re: US state abbreviations to full state names - Choropleth map

Engager

This worked for the translation thank you! However, I didn't get any results for "geom" in the Statistics tab, changing featureIdField to featureId did populate the "geom" column, however no data is shown on the map after.
I did create a lookup definition for my abbreviation-to-state CSV.
So I'm closer but still not quite there.

0 Karma
Highlighted

Re: US state abbreviations to full state names - Choropleth map

Ultra Champion

sorry, my query is wrong, I fix it.

0 Karma