Splunk Search

Why are Splunk custom polygons not showing up on a choropleth map?

hdn6371
Explorer

I was trying to do a Choropleth map with county I found in this blog article.

http://blogs.splunk.com/2015/10/01/use-custom-polygons-in-your-choropleth-maps/

It was really helpful and got me through most parts of it. I followed the instructions, but I can't for the life of me get the counties to show up in the visualizations. My search seems to work relatively fine and it shows the geom data, but it just doesn't show up on the map.

I used the us census site to get the KML file, https://www.census.gov/geo/maps-data/data/kml/kml_counties.html

0 Karma

jzapantis
Path Finder

So I just wrote a complete answer and got an error when posting so i dont have the energy to write all that again, so my apologies for the simplistic answer I will write this time, but here is my SPL:

index=index source=source LOCATION=*
| dedup ID 
| fields ID, LOCATION 
| lookup mergedLocationLookup.csv locationID as LOCATION_FULL_NAME output locationID, officeName, latitude, longitude, state
| search locationID = *
| table ID, LOCATION, locationID, officeName, latitude, longitude, state
| lookup geo_us_states longitude, latitude
| stats count by featureId
| geom geo_us_states

Its all about understanding how Splunk works with .kmz files. make sure your make your .kmz files using this method: article

Then make sure your base search has lat and long (mine didnt thats why I do a lookup to a .csv file that does.

Then I do a lookup to my .kmz file that joins a featureId based on lat and long.

Then aggregate based on featureId.

Then plot using geom, passing the same .kmz file lookup that returned featureId.

I will explain any part in depth upon request. I just am emotionally exhausted from taking the time previously and having the network reject my initial response 🙂

That's it folks!

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Hi @hdn6371,
I'm not sure of all the details of your situation, but are you using a KML file? Or did you convert it to a KMZ file?

Also, did you check that the lookup you created as part of using a custom KMZ file is generating a featureId?

If you could post your query, that might also help with troubleshooting.

Finally, if you haven't already had the chance, you might want to double-check the documentation about files, components, and choropleth queries here just to be sure everything is set up:
http://docs.splunk.com/Documentation/Splunk/6.3.0/Viz/Choroplethmaps#Components_for_building_geograp...

Thanks,
@frobinson_splunk

splunk6161
Path Finder

I have performed step by step this blog: "http://blogs.splunk.com/2015/10/01/use-custom-polygons-in-your-choropleth-maps/" but doesn't work.
These are the steps I've done:
1- Etxract file cb_2014_us_cd114_500k.kml from cb_2014_us_cd114_500k.zip
2- Zip file cb_2014_us_cd114_500k.kml in my_lookup.kmz
3- Upload the KMZ file to the Lookup table files manager page (see blog)
4- Add new Lookup definitions with the correct XPath (see blog)

So, in search i tried this SPL " | inputlookup my_lookup.kmz", this return more then 1000result but i cant see nothing in "statistics" or "visualization"

Where am I wrong?

Thanks

0 Karma

jzapantis
Path Finder

I am having a similar issue: here is my query

index=main source=source1 LOCATION_FULL_NAME=*
| dedup D
| fields ID, LOCATION_FULL_NAME
| lookup mergedLocationLookup.csv locationID as LOCATION_FULL_NAME output latitude, longitude, officeName , streetNumber, street, suite , neighborhood, city, zipCode, county, csa, state, region, country
| table INCIDENT_ID, LOCATION_FULL_NAME, latitude, longitude, officeName , streetNumber, street, suite , neighborhood, city, zipCode, county, csa, state, region, country
| stats count BY csa
| geom csa featureIdField="csa"

0 Karma

hdn6371
Explorer

@frobinson

index=dev "success"
| lookup geo_county longitude as lon, latitude as lat
| stats count by County
| geom geo_county

I followed the guide and added the KML file to a zip and change the extension to a kmz

0 Karma

jzapantis
Path Finder

The problem is this line:

longitude as lon, latitude as lat

just use: longitude, latitude

0 Karma

jzapantis
Path Finder

or use a rename command to change lat and lon to latitude and longitude to avoid the use of "as"

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Thanks for the details. Are the "lon" and "lat" fields in your query exactly as they appear in your event data?

I think there might be an issue between the lookup step and the "stats count by County" step in your query. Does the data already have location name fields? If so, you don't need to do the lookup part of the query. You can just aggregate by County, if this is the field name in the events data.

hdn6371
Explorer

Yes it is and the lon and lat are appearing.

frobinson_splun
Splunk Employee
Splunk Employee

Ok, that's good...

I think there might be an issue between the lookup step and the "stats count by County" step in your query. Does the data already have location name fields? If so, you don't need to do the lookup part of the query. You can just aggregate by County, if this is the field name in the events data.

0 Karma

hdn6371
Explorer

That's weird because I did that on the splunk goem of us states.

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Can you try changing the stats part of your query to
|stats count by featureId
? Let me know if this changes anything in the visualization.

If this doesn't help, it might be useful to see a couple sample events from your data. Could you post a snippet?

hdn6371
Explorer

I got the visual to work but for some reason it only allowed me to key of of AFFGEOID even when I try to set what feature ID I want to use from the xml. However it seems that the KMZ file I converted to is somehow causing my bundle to blow up . . . which threw my entire cloud for a loop.

I basically had a cease and desist command on the task :(. Sadly I can't keep trying.

frobinson_splun
Splunk Employee
Splunk Employee

Thanks for the update. I'm sorry the custom KMZ file didn't work out. I'll pass along your feedback to our team. Feel free to post again here or contact support if you'd like further guidance later on.

Best,
@frobinson_splunk

0 Karma

hdn6371
Explorer

It looks like splunk isn't parsing out my kmz file correctly when i examine the geo definition for my results they where all the same. . . .

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...