Splunk Search

Generate a choropleth map based on the states using geo_us_states

rohit_kothuru
New Member

I am trying to generate a Choropleth map to show the density of requests for each state in the US.

I am using the below query :

rex field=_raw ".*State -(?.*) for.*" | search searchState != null |stats count by searchState |geom geo_us_states featureIdField=searchState

searchState count featureCollection geom
California 2 geo_us_states

Connecticut 2 geo_us_states

The above is the output I am getting and not getting any results on the map visualization.
I don't see any issue in the job log as well. Can someone help me out in this.

(EDIT - I changed the code to be in "code" tags to make Answers not eat characters - Rich)

Tags (1)
0 Karma

Richfez
SplunkTrust
SplunkTrust

Interesting - where the field geom is specified, you should have a bunch of stuff, like ...

 {"type":"multipolygon", "coordinates": [[[[lots of numbers here ... LOTS of numbers here... 🙂 ... }

Can you try this run-anywhere search?

| makeresults | eval state="California" | stats count by state | geom geo_us_states featureIdField=state

When it runs, in your statistics tab you should have output like I describe above for California. In the visualizations tab you should see a US or world map, with California in light pink.

Let us know what you find!

0 Karma

rohit_kothuru
New Member

@rich7177

I ran the run-anywhere search and I am able to see California in light pink.

0 Karma

rohit_kothuru
New Member

@rich7177

It was a mistake from my side. The state was having spaces and because of this was not getting mapped.

If I run the query ( with geom geo_us_states ) I am getting the world map but I want only the map of US. Is there any way to achieve this?

0 Karma

Richfez
SplunkTrust
SplunkTrust

In the settings for the map, there's a way to set the default zoom level. If you get it zoomed in how you want, then set that, it should remember your settings.

0 Karma

rohit_kothuru
New Member

Correct query:

rex field=_raw ".State -(?.) for.*" | search searchState != null |stats count by searchState |geom geo_us_states featureIdField=searchState

0 Karma

Richfez
SplunkTrust
SplunkTrust

Oh and I see you did that too. Well, no harm done. 🙂

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...