- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are using the query below with Splunk Map, but it's not showing the correct results.
index=idxmember | lookup geolookup "Primary_Address_ZIP" as "Primary_Address_ZIP" OUTPUT latitude , longitude |geostats latfield=latitude longfield=longitude count by Primary_Address_ZIP
If I filter by a single zip code, the results are correct, but if there are more entries for a zip code, it is not plotting correctly. For example, we have the entry zipcode-60134 = 500529. It is not showing the correct result if I try to plot with all other zip codes. If I filter like below, it is working properly.
index=idxmember Primary_Address_ZIP=60134 | lookup geolookup "Primary_Address_ZIP" as "Primary_Address_ZIP" OUTPUT latitude , longitude |geostats latfield=latitude longfield=longitude count by Primary_Address_ZIP
Can you please tell us how to fix this issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When we try to plot more than 40000 unique zipcode results in pie chart, somehow its breaking the final results in pie chart and not showing correct count. So we have restricted only top 20 zipcode results to display in map pie chart and its started showing correct count.
index=idxmember brand_name=* | top limit=20 Primary_Address_ZIP, latitude, longitude | geostats latfield=latitude longfield=longitude sum(count) by Primary_Address_ZIP globallimit=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When we try to plot more than 40000 unique zipcode results in pie chart, somehow its breaking the final results in pie chart and not showing correct count. So we have restricted only top 20 zipcode results to display in map pie chart and its started showing correct count.
index=idxmember brand_name=* | top limit=20 Primary_Address_ZIP, latitude, longitude | geostats latfield=latitude longfield=longitude sum(count) by Primary_Address_ZIP globallimit=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As indicated by the warning message, you could use the globallimit setting to increase or disable this limit. I'm not sure how well it'd handle such a high number, ymmv.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Martin, We have opened the Splunk support case and waiting for their response.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splitting by such a diverse field would create 37560 columns, 37560 different colours on your map, pies with up to 37560 slices, and general trouble.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please tell us, is there any way to control this and just show count for each of the zipcode without mismatch?.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do provide some info on what's wrong about the displayed data. Screenshots, sample data, wrong output, desired output, etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Once after report complete getting the below warning message
Warning message:
"split by field Primary_Address_ZIP has large number of unique values 37560 . Chart column set will be trimmed to 10. Use globallimit argument to control column count"
