Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use geostats to mark multiple points on the map and separate them

ShiORi
New Member
‎11-15-2017 01:31 PM

Hi! I have a question that I want to mark multiple points on the map.
But it seems because the distance is too close, it merged into one point.
This is my code:

|inputlookup macAddr_lat  
|append [search source="udp:5567" 000000000d0100b4 OR 000000000d0100ce OR 000000000d0100c1 OR 000000000d0100c8 
|rex field=data "fc000105(?<ParkData>\d{2})" 
|eval ParkStatus=case(ParkData=="02","Not yet learn",ParkData=="22","Had Learn",ParkData=="20","No Car Parking",ParkData=="21","Parking",ParkData=="23","Keep Parking",ParkData=="60","No Car Parking",ParkData=="61","Parking",ParkData=="62","Keep Correcttio",ParkData=="63","Had Correcttion")
|eval secondsAgoStr=tonumber(now() - _time) 
|table macAddr data ParkData ParkStatus  _time time secondsAgoStr rssi snr ] |table macAddr data ParkData ParkStatus  _time time secondsAgoStr rssi snr latitude longtitude |selfjoin macAddr |dedup macAddr
|search ParkData=*
|eval redCount=if(ParkData=21 OR ParkData=23 OR ParkData=61,"Parking",NULL())
|eval greenCount = if (ParkData=20 OR ParkData=22 OR ParkData=60 OR ParkData=62,"No Car Parking",NULL())
|eventstats sum(duration) AS Today_Parking_TotalTime 
|eval percentage=round(duration/Today_Parking_TotalTime*100 ,2) |eval percentage=tostring(percentage+"%") | addcoltotals labelfield=Today_Parking_TotalTime label=Today_Parking_TotalTime 
|fields - _raw ,- closed_txn ,- field_match_sum , - linecount ,- Today_Parking_TotalTime 
 | geostats latfield=latitude longfield=longtitude count(redCount) as "Parking" count(greenCount) as "NoCarParking"

And the point what I click is:
alt text
How do I separate them on the map?

Preview file
52 KB
0 Karma
Reply

apilger_splunk
Splunk Employee
Splunk Employee
‎01-15-2018 10:13 AM

Hi ShiORi,

The geostats command has two parameter to adjust the granularity for positioning point on the map: binspanlong and binspanlat
You may use smaller values that default eg.:
| geostats latfield=latitude binspanlong=10 binspanlat=5 longfield=longtitude count(redCount) as "Parking" count(greenCount) as "NoCarParking"

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...