Splunk Search

Why does "geom geo_us_states" search display a world map instead of North America map?

gl89
Engager

Working my way through the Splunk e-learning offerings, I came across a lab exercise where the resulting query was

"sourcetype=vendor_sales VendorID < 4000 | chart count by VendorStateProvince | geom geo_us_states featuredField=VendorStateProvince"

and I'm expected to use a Choropleth visualization to get a map of North America with the states and provinces shaded according to the search results.

What I get, though, is a world map with the legend in the lower right ("Alabama"..."Alberta"...etc.) but nothing plotted on the map at all.
I cannot find any tweaks in the "Format" dialogue which will help.

Am I doing something obviously (if not to me) incorrect, or is something broken on the e-learning backend?

Thanks for any info,

0 Karma
1 Solution

mporath_splunk
Splunk Employee
Splunk Employee

The query above is logically correct but seems to have a typo; here's the corrected query:

sourcetype=vendor_sales VendorID < 4000 | chart count by VendorStateProvince | geom geo_us_states featureIdField=VendorStateProvince

uses featureIdField instead of featuredField

View solution in original post

mporath_splunk
Splunk Employee
Splunk Employee

The query above is logically correct but seems to have a typo; here's the corrected query:

sourcetype=vendor_sales VendorID < 4000 | chart count by VendorStateProvince | geom geo_us_states featureIdField=VendorStateProvince

uses featureIdField instead of featuredField

gl89
Engager

That's exactly what I was missing. Thanks!

0 Karma

kapenta
Loves-to-Learn Lots

index=Something srccountry="United States" | iplocation src | stats count by Region | geom geo_us_states featureIdField=Region : But it still shows the same world map and when I do the |inputlookup geo_us_states also it gives me world map .

0 Karma

gn694
Communicator

@kapenta 

To adjust the map to see only a portion of it, such as just the USA you need to edit the Latitude, Longitude, and Zoom settings for the map.

You can set these in Format Visualization, on the General page.

The following settings work for me for the continental USA:

- Latitude: 38.62

- Longitude: -93.91

- Zoom: 4

I was not happy with my attempts to show all 50 states since (including Alaska and Hawaii) because of the excess empty/irrelevant space (oceans and Canada) shown.

Alternatively, when editing the dashboard, you can zoom in and out and move the map around and if you are satisfied with how you have got it looking, you can save these settings by going to Format Visualization and on the General page click on Populate with current map settings.

(Refer to the attached map-usa.jpg file to see the settings I mentioned.)

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...