Splunk Search

Why are Splunk custom polygons not showing up on a choropleth map?

Explorer

I was trying to do a Choropleth map with county I found in this blog article.

http://blogs.splunk.com/2015/10/01/use-custom-polygons-in-your-choropleth-maps/

It was really helpful and got me through most parts of it. I followed the instructions, but I can't for the life of me get the counties to show up in the visualizations. My search seems to work relatively fine and it shows the geom data, but it just doesn't show up on the map.

I used the us census site to get the KML file, https://www.census.gov/geo/maps-data/data/kml/kml_counties.html

0 Karma

Path Finder

So I just wrote a complete answer and got an error when posting so i dont have the energy to write all that again, so my apologies for the simplistic answer I will write this time, but here is my SPL:

index=index source=source LOCATION=*
| dedup ID 
| fields ID, LOCATION 
| lookup mergedLocationLookup.csv locationID as LOCATION_FULL_NAME output locationID, officeName, latitude, longitude, state
| search locationID = *
| table ID, LOCATION, locationID, officeName, latitude, longitude, state
| lookup geo_us_states longitude, latitude
| stats count by featureId
| geom geo_us_states

Its all about understanding how Splunk works with .kmz files. make sure your make your .kmz files using this method: article

Then make sure your base search has lat and long (mine didnt thats why I do a lookup to a .csv file that does.

Then I do a lookup to my .kmz file that joins a featureId based on lat and long.

Then aggregate based on featureId.

Then plot using geom, passing the same .kmz file lookup that returned featureId.

I will explain any part in depth upon request. I just am emotionally exhausted from taking the time previously and having the network reject my initial response 🙂

That's it folks!

0 Karma

Splunk Employee
Splunk Employee

Hi @hdn6371,
I'm not sure of all the details of your situation, but are you using a KML file? Or did you convert it to a KMZ file?

Also, did you check that the lookup you created as part of using a custom KMZ file is generating a featureId?

If you could post your query, that might also help with troubleshooting.

Finally, if you haven't already had the chance, you might want to double-check the documentation about files, components, and choropleth queries here just to be sure everything is set up:
http://docs.splunk.com/Documentation/Splunk/6.3.0/Viz/Choroplethmaps#Components_for_building_geograp...

Thanks,
@frobinson_splunk

Path Finder

I have performed step by step this blog: "http://blogs.splunk.com/2015/10/01/use-custom-polygons-in-your-choropleth-maps/" but doesn't work.
These are the steps I've done:
1- Etxract file cb2014uscd114500k.kml from cb2014uscd114500k.zip
2- Zip file cb2014uscd114500k.kml in my_lookup.kmz
3- Upload the KMZ file to the Lookup table files manager page (see blog)
4- Add new Lookup definitions with the correct XPath (see blog)

So, in search i tried this SPL " | inputlookup my_lookup.kmz", this return more then 1000result but i cant see nothing in "statistics" or "visualization"

Where am I wrong?

Thanks

0 Karma

Path Finder

I am having a similar issue: here is my query

index=main source=source1 LOCATIONFULLNAME=*
| dedup D
| fields ID, LOCATIONFULLNAME
| lookup mergedLocationLookup.csv locationID as LOCATIONFULLNAME output latitude, longitude, officeName , streetNumber, street, suite , neighborhood, city, zipCode, county, csa, state, region, country
| table INCIDENTID, LOCATIONFULL_NAME, latitude, longitude, officeName , streetNumber, street, suite , neighborhood, city, zipCode, county, csa, state, region, country
| stats count BY csa
| geom csa featureIdField="csa"

0 Karma

Explorer

@frobinson

index=dev "success"
| lookup geocounty longitude as lon, latitude as lat
| stats count by County
| geom geo
county

I followed the guide and added the KML file to a zip and change the extension to a kmz

0 Karma

Path Finder

The problem is this line:

longitude as lon, latitude as lat

just use: longitude, latitude

0 Karma

Path Finder

or use a rename command to change lat and lon to latitude and longitude to avoid the use of "as"

0 Karma

Splunk Employee
Splunk Employee

Thanks for the details. Are the "lon" and "lat" fields in your query exactly as they appear in your event data?

I think there might be an issue between the lookup step and the "stats count by County" step in your query. Does the data already have location name fields? If so, you don't need to do the lookup part of the query. You can just aggregate by County, if this is the field name in the events data.

Explorer

Yes it is and the lon and lat are appearing.

Splunk Employee
Splunk Employee

Ok, that's good...

I think there might be an issue between the lookup step and the "stats count by County" step in your query. Does the data already have location name fields? If so, you don't need to do the lookup part of the query. You can just aggregate by County, if this is the field name in the events data.

0 Karma

Explorer

That's weird because I did that on the splunk goem of us states.

0 Karma

Splunk Employee
Splunk Employee

Can you try changing the stats part of your query to
|stats count by featureId
? Let me know if this changes anything in the visualization.

If this doesn't help, it might be useful to see a couple sample events from your data. Could you post a snippet?

Explorer

I got the visual to work but for some reason it only allowed me to key of of AFFGEOID even when I try to set what feature ID I want to use from the xml. However it seems that the KMZ file I converted to is somehow causing my bundle to blow up . . . which threw my entire cloud for a loop.

I basically had a cease and desist command on the task :(. Sadly I can't keep trying.

Splunk Employee
Splunk Employee

Thanks for the update. I'm sorry the custom KMZ file didn't work out. I'll pass along your feedback to our team. Feel free to post again here or contact support if you'd like further guidance later on.

Best,
@frobinson_splunk

0 Karma

Explorer

It looks like splunk isn't parsing out my kmz file correctly when i examine the geo definition for my results they where all the same. . . .

0 Karma