Solved: How to show markers on a map?

monacledpotato · ‎11-28-2021

I have many different machines that move around the country (USA), each with its own GPS lat and long coordinates. I'd like to be able to show the last known location for each item on a map.

My current search is as follows:

source=".../ops.log" |
table host, _time, gps_latitude, gps_longitude |
where gps_latitude > 0.0 AND gps_longitude < 0.0 |
dedup host

(the first line looks into a .log file which has information for latitude and longitude, many times these values are inputted as 0.0 or null and therefore I need to filter those out before I add them to the map, hence the "where" command).

This correctly gets all of the machines with their Gps coords and displays them on a table (albeit very slowly).

Now I would like to translate that information onto a marker map where each marker represents a host with its last known GPS coordinates.

I recognize that I must probably use a cluster map for this and have tried to add the following line to generate the map. (this is placed as the second last line)

geostats latfield=gps_latitude, longfield=gps_longitude count by host |

Unfortunately, nothing happens when attempting to add this line.

I would very much appreciate any help or guidance I could get to help set me in the right direction.

Thank you for your time.

PickleRick · ‎11-28-2021

You add geostats after the stats. But you also need aggregation function. So, for example

| geostats count latfield=latitude longfield=longitude

View solution in original post

PickleRick · ‎11-28-2021

Really depends on what you want to achieve. Do you want to track trips your vehicles took? Do you just want to know where they are now?

Anyway, you're creating a table from all events over whole _time period which might not be very effective. That's why it takes so long.

Anywa, for example, I'm using splunk to monitor logs from my two cars and I visualize it with Maps+ for Splunk (https://splunkbase.splunk.com/app/3124/).

For finding current position I use (for a single car):

index=opengts ValidGPS=true device="myCarID" | sort -timestamp | head 1
| eval latitude=gps_lat 
| eval longitude=gps_lon 
| eval tooltip=time." ".device." ".address
| eval pathLayer=device 
| eval markerColor="red"
| eval markerSize=50
| table latitude longitude _time UniqueID tooltip pathLayer order markerColor markerPriority markerSize markerType

For plotting trips of the cars on a single map I use:

index=opengts ValidGPS=true | sort -timestamp | streamstats count as order by UniqueID | where order<=100 
| eventstats count as total by UniqueID
| eval latitude=gps_lat 
| eval longitude=gps_lon 
| eval tooltip=time." ".device." ".address | eval pathLayer=device 
| eval order=total-order
| eval eventprogress=order/total
| eval colorindex=substr(tostring(16+round(240*eventprogress),"hex"),3,3)
| eval markerColor=case(order=total, "yellow", pathLayer=="car1","#ff".colorindex.colorindex, pathLayer=="car2","#".colorindex.colorindex."ff", 1==1,"green") 
| eval markersize=50*eventprogress
| eval markerSize=("".round(markersize).",".(round(markersize*1.2)))
| eval markerPriority=order
| eval markerType="svg"
| table latitude longitude _time UniqueID tooltip pathLayer order markerColor markerPriority markerSize markerType

This way I'm getting a series of gradually enlarging position makers on map (hence the size calculations).

Probably the searches might be done better (I wrote them some 1.5 years ago when I was starting with splunk :D)

So it all depends on:

1) What's your actual need

2) What data you have

3) What data format your visualization needs

EDIT: OK, I'm blind. You wrote explicitly that you want the latest position. It should be relatively easy to find it:

source="../ops.log" gps_latitude>0 gps_longitude>0
| stats latest(gps_latitude) as latitude latest(gps_longitude) as longitude by host

I wouldn't be so eager to use geostats if you want to display single vehicles since geostats is used to aggregate data. Just table the data and use Maps+

monacledpotato · ‎11-28-2021

Thank you very much for your reply! The examples you've given are a great help.

Thank you loads for the tip on Maps+! Unfortunately, I don't currently have access (not the admin of my splunk instance) to add that app to my instance of splunk at the moment, but can probably get it eventually.

Until then, I wanted to see if I could create a working prototype with the base tools given by splunk first. My goal right now is to just have marker points on a map dictate the last known locations of individual machines.

To answer your questions:

1) What's your actual need:
I just need to get their latest known position and don't need to track the trips they took. So just where they are now, or where they last pinged their location at, essentially.

2) What data you have:
Each machine has its own log file which contains a bunch of information including the time the log file was created, the host which created the file, and latitude and longitude coordinates taken from the onboard GPS.

The log file is created periodically as long as the machine is on. Therefore each host creates many instances and needs to be filtered out via the "dedup host" command I have at the end. (I suspect there might be a better way to do this, but that dedup host command is to ensure there aren't a bunch of instances of the same host on the map. Just distinct hosts at any given time on the map.)

3) What data format your visualization needs:
I'm not entirely certain what data format the map would need (I'm still pretty new to splunk if you couldn't already tell haha :D).

Anyways, thanks again for your reply I really appreciate it.

PickleRick · ‎11-28-2021

See my previous response after the edit. You might have missed that.

monacledpotato · ‎11-28-2021

It would seem as though I'm the one who is blind, I completely missed your edit!

With your help, I was able to take a step forward and have the machine host print on the visualization tab! However, it would seem to not be showing any markers on the cluster map itself. Is there anything else I'm missing or should the map be populated with the markers by now?

I'll probably start looking into using Maps+ then. Hopefully, I can get access to that soon.

Thanks again for the help!

PickleRick · ‎11-28-2021

If you want to usethe cluster map, you need the geostats command. It creates some fancy bins that the visualization aggregates data over later. That's why I prefer Maps+ - it's more straightforward to use.

monacledpotato · ‎11-28-2021

Ah, alright, last question then!

Do I append the geostats command after the stats command or do I redo the stats command as the geostats command?

This is how I currently have it, and although it does display the latitude and longitude values (without the host) on the visualization tab, it still does not yet display anything on the map.

stats latest(gps_latitude) as latitude latest(gps_longitude) as longitude by host |
geostats latfield=latitude longfield=longitude

Thank you for your help so far, you've really helped point me in the right direction to figuring this out!

PickleRick · ‎11-28-2021

You add geostats after the stats. But you also need aggregation function. So, for example

| geostats count latfield=latitude longfield=longitude

monacledpotato · ‎11-28-2021

Thank you so much! That worked! I finally have it so that there are cluster points where the last known GPS position was printed!

Sorry, I know I said the last question would be the last question, but do you know how I can get it so that the hostname is presented in either the statistics tab or upon hover of the cluster point? Currently, I can see the map populated with those points but I'm unsure which point belongs to which host.

EDIT: nevermind! Figured it out by adding "by host" after the count command in the geostats command.

Thanks again for all of your help!

How to show markers on a map?

fields

stats

table

timechart

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!