Splunk Search

Plotting points on a Splunk 6 map

fredclown
Path Finder

My data is already coming into splunk lat/lon encoded. I don't need to do any ip geo lookup or anything like that. Each event has a latitude and longitude field. I want to plot each event onto a map. I don't want to group them or do any fancy aggregation. I just pwant oints plottted to a map or maybe possibly a heat map. Is this possible?

Tags (1)
1 Solution

dmaislin_splunk
Splunk Employee
Splunk Employee

It works for me, read below the map for the settings I used:

alt text

I just pulled in this data into Splunk with a sourcetype of geo:

place1,41.66164,-87.74477
place2,41.66587,-86.894357
place3,41.72614,-85.97314

I used these field extractions in my props.conf:

[geo]
EXTRACT-MAPS = ^(?<location>.+?),(?<latitude>.+?),(?<longitude>.+?)$

And here is my Splunk view:

<dashboard>
        <label>Map</label>
        <row>
    <map>
                <title>Map</title>
                <searchString>sourcetype=geo | geostats latfield=latitude longfield=longitude binspanlat=1 binspanlong=1 count</searchString>
                <earliestTime>0</earliestTime>
      <option name="mapping.tileLayer.url">http://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png</option>
                        <option name="mapping.tileLayer.subdomains">[a,b,c]</option>
                        <option name="mapping.tileLayer.maxZoom">24</option>
                <option name="link.visible">TRUE</option>
                <option name="link.exportResults.visible">TRUE</option>
                <option name="link.inspectSearch.visible">TRUE</option>
                <option name="link.openSearch.ViewTarget">TRUE</option>
                <option name="mapping.map.zoom">9</option>
                <option name="mapping.markerLayer.markerMaxSize">50</option>
                <option name="mapping.map.center">(41.66587,-86.894357)</option>
                <option name="link.openSearch.text">Open in New Search</option>
                <option name="link.openSearch.search">sourcetype=geo | geostats latfield=latitude longfield=longitude</option>
                <option name="link.openSearch.searchEarliestTime">-30d</option>
                <option name="link.openSearch.searchLatestTime">now</option>
        </map>
        </row>
</dashboard>

View solution in original post

dmaislin_splunk
Splunk Employee
Splunk Employee

It works for me, read below the map for the settings I used:

alt text

I just pulled in this data into Splunk with a sourcetype of geo:

place1,41.66164,-87.74477
place2,41.66587,-86.894357
place3,41.72614,-85.97314

I used these field extractions in my props.conf:

[geo]
EXTRACT-MAPS = ^(?<location>.+?),(?<latitude>.+?),(?<longitude>.+?)$

And here is my Splunk view:

<dashboard>
        <label>Map</label>
        <row>
    <map>
                <title>Map</title>
                <searchString>sourcetype=geo | geostats latfield=latitude longfield=longitude binspanlat=1 binspanlong=1 count</searchString>
                <earliestTime>0</earliestTime>
      <option name="mapping.tileLayer.url">http://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png</option>
                        <option name="mapping.tileLayer.subdomains">[a,b,c]</option>
                        <option name="mapping.tileLayer.maxZoom">24</option>
                <option name="link.visible">TRUE</option>
                <option name="link.exportResults.visible">TRUE</option>
                <option name="link.inspectSearch.visible">TRUE</option>
                <option name="link.openSearch.ViewTarget">TRUE</option>
                <option name="mapping.map.zoom">9</option>
                <option name="mapping.markerLayer.markerMaxSize">50</option>
                <option name="mapping.map.center">(41.66587,-86.894357)</option>
                <option name="link.openSearch.text">Open in New Search</option>
                <option name="link.openSearch.search">sourcetype=geo | geostats latfield=latitude longfield=longitude</option>
                <option name="link.openSearch.searchEarliestTime">-30d</option>
                <option name="link.openSearch.searchLatestTime">now</option>
        </map>
        </row>
</dashboard>

dmaislin_splunk
Splunk Employee
Splunk Employee

Not a problem. Happy to help. Very nice use case 🙂

0 Karma

MattZerfas
Communicator

Thanks for the all the help. Sorry my situation seems to be so confusing. I was able to acheive what I want my setting the binspanlat=.1 and binspanlong=.1 and the globallimit to 1.

Here is my end result.
https://dl.dropboxusercontent.com/u/7913972/map.png

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

Yes, using binspanlat and binspanlong. I updated the XML above too and show the search below with the documentation reference.

sourcetype=geo | geostats latfield=latitude longfield=longitude binspanlat=1 binspanlong=1 count

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Geostats

0 Karma

MattZerfas
Communicator

I showed you in the pictures that I linked that the points are being put on the map but when going to zoom 5 instead of 9 like you have it set they are being grouped together and I would like to know if there is a way to have them NOT group.

0 Karma
Get Updates on the Splunk Community!

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...