Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to do conditional formatting with geostats to color code points on a Splunk map with different ranges of count values?

qiaojing
Path Finder
‎06-08-2016 01:13 AM

Hi

I'm trying to display coordinates on a Splunk Map and color code the points with different ranges of count values.

I managed to create the map with the default pie chart with the search string below, but it's using the default colors. 

[base search] | lookup cpk_coord_lookup NUM_CPK as NUM_CPK OUTPUT NUM_LNGTD, NUM_LATD | geostats latfield=NUM_LATD longfield=NUM_LNGTD maxzoomlevel=18 globallimit=0 count by NUM_CPK

I also referred to a similar question:
https://answers.splunk.com/answers/221348/geostats-display-bubbles-on-map-instead-of-pie-cha.html
and came out with a second code which is color coded, but each bubble is identified by the color category (eg greenCount) instead of the NUM_CPK (ID). 

[base search] | lookup cpk_coord_lookup NUM_CPK as NUM_CPK OUTPUT NUM_LNGTD, NUM_LATD | geostats latfield=NUM_LATD longfield=NUM_LNGTD maxzoomlevel=18 globallimit=0 count(NUM_CPK) as TOTAL | eval redCount = if(TOTAL >= 50000,TOTAL,0) | eval yellowCount = if((TOTAL >= 10000 AND TOTAL < 50000),TOTAL,0) | eval greenCount = if(TOTAL < 10000,TOTAL,0) | fields - TOTAL

I understand that the 2nd search string is not displaying the NUM_CPK column because I didn't use the BY clause. However, if I use the BY clause (first search string), I won't be able to do conditional formatting on the points anymore.

Any idea how I can use the first search string and yet do conditional formatting? Any help will be greatly appreciated.

Thank you very much.

0 Karma
Reply

shaskell_splunk
Splunk Employee
Splunk Employee
‎06-08-2016 01:28 PM

Have a look at this post:

https://answers.splunk.com/answers/221348/geostats-display-bubbles-on-map-instead-of-pie-cha.html

If you're using Splunk 6.4 you can take advantage of other mapping visualization apps like:

Clustered Single Value Map Visualization

Custom Cluster Map Visualization

0 Karma
Reply

qiaojing
Path Finder
‎06-08-2016 07:03 PM

@shaskell_splunk Hi, I have already referred to that post as mentioned above. The solution in that post is unable to display the CPK_NUM for me, it only displays the category of count as it doesnt have a by-clause after count.

I need to use the count by CPK_NUM and at the same time do conditional formatting.

Unfortunately, I'm using v 6.2.1

0 Karma
Reply

cmoinet
Engager
‎05-20-2019 07:15 AM

I have the same problem

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...