Splunk Enterprise Security

Problem dynamically specifying colors in specific order - geomapping sequential/categorical

opsniper
New Member

Hey fellow Splunkers. I'm working on mapping some of my data and ran into a bit of a snag.. With the first search example below, I managed to get my IPS data populating the map sequentially. The problem is, I don't believe it's possible to change the first (min?) color. What I'm left with is everything being white except for the top hitting country, because of the large discrepancy in numbers. E.g.: first series ends up being 0-1000 which is most countries and the top country ends up being 10000-12000.

index=IPS source=IPS | iplocation src_ip | stats count by Country | geom geo_countries featureIdField="Country"

So, I found a way to fix it! Dynamically allocating categories in a "categorical" type map and assigning the series colors in the XML. It worked... for the most part... As it turns out, the first category that populates grabs the first color and it continues on from there as it goes through the logs. If it hits a log from China first, but China ends up being the second from the top, it has the first color. This ends up with a random assortment of colors from my hard-coded list in the final series list. E.g.: If I have color1,color2,color3 in the xml, I might end up with a series/color listing of color2,color1,color3. Below is the code I have to get to this point.

XML: <option name="mapping.seriesColors">[0xafcdff, 0x7cadff, 0x5695ff, 0x2b7aff, 0x005fff]</option>
Search: index=IPS source=IPS | iplocation src_ip | stats count by Country | geom geo_countries featureIdField="Country" | kmeans k=5 count | eventstats min(count) AS min, max(count) AS max by CLUSTERNUM | sort max | eval count=min."-".max | fields - CLUSTERNUM centroid_count max min

Does anyone have any recommendations where I can better control the assignment of colors to each series? I want to end up with a sequential-type map, but be able to have any country with a value of >0 to not be white.

Thank you in advance.

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...