Splunk Search

How to do conditional formatting with geostats to color code points on a Splunk map with different ranges of count values?

qiaojing
Path Finder

Hi

I'm trying to display coordinates on a Splunk Map and color code the points with different ranges of count values.

I managed to create the map with the default pie chart with the search string below, but it's using the default colors.

[base search] | lookup cpk_coord_lookup NUM_CPK as NUM_CPK OUTPUT NUM_LNGTD, NUM_LATD | geostats latfield=NUM_LATD longfield=NUM_LNGTD maxzoomlevel=18 globallimit=0 count by NUM_CPK

I also referred to a similar question:
https://answers.splunk.com/answers/221348/geostats-display-bubbles-on-map-instead-of-pie-cha.html
and came out with a second code which is color coded, but each bubble is identified by the color category (eg greenCount) instead of the NUM_CPK (ID).

[base search] | lookup cpk_coord_lookup NUM_CPK as NUM_CPK OUTPUT NUM_LNGTD, NUM_LATD | geostats latfield=NUM_LATD longfield=NUM_LNGTD maxzoomlevel=18 globallimit=0 count(NUM_CPK) as TOTAL | eval redCount = if(TOTAL >= 50000,TOTAL,0) | eval yellowCount = if((TOTAL >= 10000 AND TOTAL < 50000),TOTAL,0) | eval greenCount = if(TOTAL < 10000,TOTAL,0) | fields - TOTAL

I understand that the 2nd search string is not displaying the NUM_CPK column because I didn't use the BY clause. However, if I use the BY clause (first search string), I won't be able to do conditional formatting on the points anymore.

Any idea how I can use the first search string and yet do conditional formatting? Any help will be greatly appreciated.

Thank you very much.

0 Karma

shaskell_splunk
Splunk Employee
Splunk Employee

Have a look at this post:

https://answers.splunk.com/answers/221348/geostats-display-bubbles-on-map-instead-of-pie-cha.html

If you're using Splunk 6.4 you can take advantage of other mapping visualization apps like:

Clustered Single Value Map Visualization

Custom Cluster Map Visualization

0 Karma

qiaojing
Path Finder

@shaskell_splunk Hi, I have already referred to that post as mentioned above. The solution in that post is unable to display the CPK_NUM for me, it only displays the category of count as it doesnt have a by-clause after count.

I need to use the count by CPK_NUM and at the same time do conditional formatting.

Unfortunately, I'm using v 6.2.1

0 Karma

cmoinet
Engager

I have the same problem

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...