Splunk Search

Why is Splunk Map not showing correct results when trying to plot multiple zip codes?

dhavamanis
Builder

We are using the query below with Splunk Map, but it's not showing the correct results.

index=idxmember | lookup geolookup "Primary_Address_ZIP" as "Primary_Address_ZIP" OUTPUT latitude , longitude |geostats latfield=latitude longfield=longitude count by Primary_Address_ZIP

If I filter by a single zip code, the results are correct, but if there are more entries for a zip code, it is not plotting correctly. For example, we have the entry zipcode-60134 = 500529. It is not showing the correct result if I try to plot with all other zip codes. If I filter like below, it is working properly.

index=idxmember Primary_Address_ZIP=60134 | lookup geolookup "Primary_Address_ZIP" as "Primary_Address_ZIP" OUTPUT latitude , longitude |geostats latfield=latitude longfield=longitude count by Primary_Address_ZIP

Can you please tell us how to fix this issue?

Tags (1)
0 Karma
1 Solution

dhavamanis
Builder

When we try to plot more than 40000 unique zipcode results in pie chart, somehow its breaking the final results in pie chart and not showing correct count. So we have restricted only top 20 zipcode results to display in map pie chart and its started showing correct count.

index=idxmember brand_name=* | top limit=20 Primary_Address_ZIP, latitude, longitude | geostats latfield=latitude longfield=longitude sum(count) by Primary_Address_ZIP globallimit=0

View solution in original post

dhavamanis
Builder

When we try to plot more than 40000 unique zipcode results in pie chart, somehow its breaking the final results in pie chart and not showing correct count. So we have restricted only top 20 zipcode results to display in map pie chart and its started showing correct count.

index=idxmember brand_name=* | top limit=20 Primary_Address_ZIP, latitude, longitude | geostats latfield=latitude longfield=longitude sum(count) by Primary_Address_ZIP globallimit=0

martin_mueller
SplunkTrust
SplunkTrust

As indicated by the warning message, you could use the globallimit setting to increase or disable this limit. I'm not sure how well it'd handle such a high number, ymmv.

0 Karma

dhavamanis
Builder

Thanks Martin, We have opened the Splunk support case and waiting for their response.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Splitting by such a diverse field would create 37560 columns, 37560 different colours on your map, pies with up to 37560 slices, and general trouble.

0 Karma

dhavamanis
Builder

Can you please tell us, is there any way to control this and just show count for each of the zipcode without mismatch?.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Do provide some info on what's wrong about the displayed data. Screenshots, sample data, wrong output, desired output, etc.

0 Karma

dhavamanis
Builder

Once after report complete getting the below warning message

Warning message:

"split by field Primary_Address_ZIP has large number of unique values 37560 . Chart column set will be trimmed to 10. Use globallimit argument to control column count"

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...