Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

choropleth Map - how to use inputlookup geo_countries in splunk query

dkgs
Communicator
‎09-03-2020 04:22 AM

Hello,

I need to highlight two countries in the choropleth map based on the count . 

index="index=1" | table atomName status|eval country= if(atomName == "APAC", "INDIA", "USA") |stats count by country |stats count by country | inputlookup geo_countries | geom geo_countries | where featureId=country

The above query is throwing error. Please do suggest how I can write the query

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rnowitzki
Builder
‎09-03-2020 05:04 AM

Hi @dkgs,

There are some issues with your SPL, check the Documentation on geom / choropleth map.

This should do it with your example:

index="index=1" 
| stats count by atomName 
| eval country= if(atomName == "APAC", "India", "United States") 
| stats sum(count) by country 
| geom geo_countries featureIdField=country


BR
Ralph


--
Karma and/or Solution tagging appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

rnowitzki
Builder
‎09-03-2020 05:04 AM

Hi @dkgs,

There are some issues with your SPL, check the Documentation on geom / choropleth map.

This should do it with your example:

index="index=1" 
| stats count by atomName 
| eval country= if(atomName == "APAC", "India", "United States") 
| stats sum(count) by country 
| geom geo_countries featureIdField=country


BR
Ralph


--
Karma and/or Solution tagging appreciated.
Reply
Solved! Jump to solution

dkgs
Communicator
‎09-03-2020 06:12 AM

@rnowitzki  Thank you this works. If I have multiple countries how should I give the if condition for the eval statement

| eval country= if(atomName == "APAC", "India", "United States")

like I also need to add if atomName="EUR", it should be Netherlands , similarly multiple conditions for country

Thanks in advance

0 Karma
Reply
Solved! Jump to solution

rnowitzki
Builder
‎09-04-2020 01:09 AM

Hi @dkgs,

You could combine several ifs, or better use case

 

| eval country= case(atomName="APAC", "India", atomName="EUR","Netherlands")

 


So, it's a condition and the result for that condition. another condition, another  result. You can extend it with more conditions and results.

case has no "else" value, so you either have to give all possible values, or you put the "else" / "default" value in an eval before the case statement.

 

| eval country="United States"
| eval country=case(.....)

 


So it would stay "United States" if none of the case conditions match.

BR
Ralph

--
Karma and/or Solution tagging appreciated.
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...