[base search] | lookup cpk_coord_lookup NUM_CPK as NUM_CPK OUTPUT NUM_LNGTD, NUM_LATD | geostats latfield=NUM_LATD longfield=NUM_LNGTD maxzoomlevel=18 globallimit=0 count(NUM_CPK) as TOTAL | eval redCount = if(TOTAL >= 50000,TOTAL,0) | eval yellowCount = if((TOTAL >= 10000 AND TOTAL < 50000),TOTAL,0) | eval greenCount = if(TOTAL < 10000,TOTAL,0) | fields - TOTAL
I understand that the 2nd search string is not displaying the NUM_CPK column because I didn't use the BY clause. However, if I use the BY clause (first search string), I won't be able to do conditional formatting on the points anymore.
Any idea how I can use the first search string and yet do conditional formatting? Any help will be greatly appreciated.
@shaskell_splunk Hi, I have already referred to that post as mentioned above. The solution in that post is unable to display the CPK_NUM for me, it only displays the category of count as it doesnt have a by-clause after count.
I need to use the count by CPK_NUM and at the same time do conditional formatting.