Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are Splunk custom polygons not showing up on a choropleth map?

hdn6371
Explorer
‎10-29-2015 01:15 PM

I was trying to do a Choropleth map with county I found in this blog article.

http://blogs.splunk.com/2015/10/01/use-custom-polygons-in-your-choropleth-maps/

It was really helpful and got me through most parts of it. I followed the instructions, but I can't for the life of me get the counties to show up in the visualizations. My search seems to work relatively fine and it shows the geom data, but it just doesn't show up on the map.

I used the us census site to get the KML file, https://www.census.gov/geo/maps-data/data/kml/kml_counties.html

0 Karma
Reply

jzapantis
Path Finder
‎03-22-2017 07:31 AM

So I just wrote a complete answer and got an error when posting so i dont have the energy to write all that again, so my apologies for the simplistic answer I will write this time, but here is my SPL:

index=index source=source LOCATION=*
| dedup ID 
| fields ID, LOCATION 
| lookup mergedLocationLookup.csv locationID as LOCATION_FULL_NAME output locationID, officeName, latitude, longitude, state
| search locationID = *
| table ID, LOCATION, locationID, officeName, latitude, longitude, state
| lookup geo_us_states longitude, latitude
| stats count by featureId
| geom geo_us_states

Its all about understanding how Splunk works with .kmz files. make sure your make your .kmz files using this method: article

Then make sure your base search has lat and long (mine didnt thats why I do a lookup to a .csv file that does.

Then I do a lookup to my .kmz file that joins a featureId based on lat and long.

Then aggregate based on featureId.

Then plot using geom, passing the same .kmz file lookup that returned featureId.

I will explain any part in depth upon request. I just am emotionally exhausted from taking the time previously and having the network reject my initial response 🙂

That's it folks!

0 Karma
Reply

frobinson_splun
Splunk Employee
Splunk Employee
‎10-29-2015 02:10 PM

Hi @hdn6371,
I'm not sure of all the details of your situation, but are you using a KML file? Or did you convert it to a KMZ file?

Also, did you check that the lookup you created as part of using a custom KMZ file is generating a featureId?

If you could post your query, that might also help with troubleshooting.

Finally, if you haven't already had the chance, you might want to double-check the documentation about files, components, and choropleth queries here just to be sure everything is set up:
http://docs.splunk.com/Documentation/Splunk/6.3.0/Viz/Choroplethmaps#Components_for_building_geograp...

Thanks,
@frobinson_splunk

Reply

splunk6161
Path Finder
‎06-20-2018 10:01 AM

I have performed step by step this blog: "http://blogs.splunk.com/2015/10/01/use-custom-polygons-in-your-choropleth-maps/" but doesn't work.
These are the steps I've done:
1- Etxract file cb_2014_us_cd114_500k.kml from cb_2014_us_cd114_500k.zip
2- Zip file cb_2014_us_cd114_500k.kml in my_lookup.kmz
3- Upload the KMZ file to the Lookup table files manager page (see blog)
4- Add new Lookup definitions with the correct XPath (see blog)

So, in search i tried this SPL " | inputlookup my_lookup.kmz", this return more then 1000result but i cant see nothing in "statistics" or "visualization"

Where am I wrong?

Thanks

0 Karma
Reply

jzapantis
Path Finder
‎03-17-2017 01:55 PM

I am having a similar issue: here is my query

index=main source=source1 LOCATION_FULL_NAME=*
| dedup D
| fields ID, LOCATION_FULL_NAME
| lookup mergedLocationLookup.csv locationID as LOCATION_FULL_NAME output latitude, longitude, officeName , streetNumber, street, suite , neighborhood, city, zipCode, county, csa, state, region, country
| table INCIDENT_ID, LOCATION_FULL_NAME, latitude, longitude, officeName , streetNumber, street, suite , neighborhood, city, zipCode, county, csa, state, region, country
| stats count BY csa
| geom csa featureIdField="csa"

0 Karma
Reply

hdn6371
Explorer
‎10-29-2015 02:14 PM

@frobinson

index=dev "success"
| lookup geo_county longitude as lon, latitude as lat
| stats count by County
| geom geo_county

I followed the guide and added the KML file to a zip and change the extension to a kmz

0 Karma
Reply

jzapantis
Path Finder
‎03-22-2017 07:33 AM

The problem is this line:

longitude as lon, latitude as lat

just use: longitude, latitude

0 Karma
Reply

jzapantis
Path Finder
‎03-22-2017 07:34 AM

or use a rename command to change lat and lon to latitude and longitude to avoid the use of "as"

0 Karma
Reply

frobinson_splun
Splunk Employee
Splunk Employee
‎10-29-2015 02:23 PM

Thanks for the details. Are the "lon" and "lat" fields in your query exactly as they appear in your event data?

I think there might be an issue between the lookup step and the "stats count by County" step in your query. Does the data already have location name fields? If so, you don't need to do the lookup part of the query. You can just aggregate by County, if this is the field name in the events data.

Reply

hdn6371
Explorer
‎10-29-2015 02:34 PM

Yes it is and the lon and lat are appearing.

Reply

frobinson_splun
Splunk Employee
Splunk Employee
‎10-29-2015 02:39 PM

Ok, that's good...

I think there might be an issue between the lookup step and the "stats count by County" step in your query. Does the data already have location name fields? If so, you don't need to do the lookup part of the query. You can just aggregate by County, if this is the field name in the events data.

0 Karma
Reply

hdn6371
Explorer
‎10-30-2015 01:03 PM

That's weird because I did that on the splunk goem of us states.

0 Karma
Reply

frobinson_splun
Splunk Employee
Splunk Employee
‎10-30-2015 01:38 PM

Can you try changing the stats part of your query to
|stats count by featureId
? Let me know if this changes anything in the visualization.

If this doesn't help, it might be useful to see a couple sample events from your data. Could you post a snippet?

Reply

hdn6371
Explorer
‎11-03-2015 09:59 AM

I got the visual to work but for some reason it only allowed me to key of of AFFGEOID even when I try to set what feature ID I want to use from the xml. However it seems that the KMZ file I converted to is somehow causing my bundle to blow up . . . which threw my entire cloud for a loop.

I basically had a cease and desist command on the task :(. Sadly I can't keep trying.

Reply

frobinson_splun
Splunk Employee
Splunk Employee
‎11-03-2015 10:17 AM

Thanks for the update. I'm sorry the custom KMZ file didn't work out. I'll pass along your feedback to our team. Feel free to post again here or contact support if you'd like further guidance later on.

Best,
@frobinson_splunk

0 Karma
Reply

hdn6371
Explorer
‎10-29-2015 02:06 PM

It looks like splunk isn't parsing out my kmz file correctly when i examine the geo definition for my results they where all the same. . . .

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...