Splunk® Enterprise

Dashboards and Visualizations

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Mapping data

There are several options for representing data that includes geographic information.

Geographic data visualizations

6.3.0 choropleth screenshot divergent us states.png

Choropleth maps and other geographic visualizations can help you visualize data in place.

A Choropleth map uses shading to show relative metrics, such as population or election results, for predefined geographic regions. You can also create non-map geographic visualizations, such as a bar chart showing sales performance by city.

You can find information on components, queries, and configurations for Choropleth maps and non-map geographic visualizations in this topic. Marker maps are covered fully in the About Marker Maps section.

To learn about See
  • Data requirements
  • How to ensure data is best represented on a Choropleth map
About data for geographic visualizations
  • What files and other components you need for Choropleth maps and non-map geographic visualizations
  • How each component works
Components for building geographic visualizations
  • How to build a Choropleth map query step by step
  • How to build a non-map geographic visualization query step by step
  • How the different parts of a geographic visualization query work
  • Whether you can skip any parts of the query depending on the data source or the visualization you are building
How to build a geographic visualization query
An example choropleth map query A complete Choropleth map query
Configuring Choropleth map colors and other settings Configuring Choropleth maps
Building marker maps About Marker Maps

About data for geographic visualizations

Depending on the visualization you are building, you can use data that includes location names, such as "California", or signed degree geographic coordinates. A geographic visualization starts with location information from events. For maps, this location information requires additional processing in a query.

To get started, there a few considerations to make about the data you are using.

Data for Choropleth maps

Choropleth maps work best when data is normalized. Normalization adjusts your data to more accurately reflect the metric that you visualize. For example, a choropleth map can compare sales performance in two cities with very different populations. Using normalized data to generate this map means that the population difference alone does not determine how the cities' sales compare on the map.

Data for charts and other non-map geographic visualizations

To build a chart or other visualization that does not include a map, you can aggregate events by location name. If the events data already includes the appropriate location name information for the visualization, such as state names for a chart showing sales by state, then you can run a transforming query on the data as it is. No additional components or processing are necessary in this case.

If the events data does not include location name information, but has signed degree latitude and longitude coordinates, then some additional processing is needed in the query.

To learn about components and queries for any geographic visualization, see Components for building geographic visualizations and How to build a geographic visualization query. For general information on non-map visualizations, see the Visualization Reference.

Components for building geographic visualizations

There are a few items to put together for a choropleth map or non-map geographic visualization. Check the requirements listed here against your data to see how many components you need to assemble before running a query.

  • Data with geographic coordinates
    Geographic visualizations start with data that includes location information for each event. This data can come from several sources, including a sensor or forwarded data source.

    You can use:
    • Data with signed degree latitude and longitude coordinates.
    • Data with location names that match the location names in a lookup.

  • A KMZ lookup table file
    A KMZ, or compressed Keyhole Markup Language, file defines region boundaries, such as the boundaries of each state in the United States. From the home page, select Settings > Lookups > Lookup table files to review available lookup table files.

    You can use:
    • Built-in KMZ files for the United States, geo_us_states, and countries of the world, geo_countries.
    • An uploaded KMZ file for other places. Upload the KMZ file to the Lookup table files manager page.
    *Note: KML files are not currently supported. Use a KMZ file when uploading. To convert a KML file into KMZ, compress the file and replace the '.zip' extension with '.kmz'

  • A lookup definition
    The lookup checks the data's location coordinates against the KMZ file. It matches coordinates to region definitions in the KMZ data. A featureId location is the default output field for a geospatial lookup. From the home page, select Settings > Lookups > Lookup definitions for available lookup definitions.

    You can use:
    • Built-in lookups for the United States and for world countries.
    • A new lookup that you define to work with the KMZ file and data. This lookup must be marked as external_type=geo.
    *Note: Choropleth map rendering relies on a defined lookup. Even if events already have a featureId, a lookup must be in place to generate the choropleth map visualization.

    To learn more about lookups, see About lookups and field actions in the Knowledge Manager manual.

After you have data with a featureId or you define a lookup, you can create a query for the geographic visualization.

How to build a geographic visualization query

A query coordinates data, a transforming search, and a geospatial lookup to build a choropleth map or other visualization.

Steps for building a query

Here is an example of assembling a geographic visualization query one step at a time. You can run each portion of the query as you build it to ensure that it is working correctly. Depending on the visualization you are creating and the components you have, some steps are optional.

1) Indicate an events data source.

source=my_data_source.csv |

Start with an events data source that has signed degree geographic coordinates or location name fields.

2) Set up a lookup query.

lookup geo_us_states longitude as Lon, latitude as Lat |

If the events data already includes location name or featureId fields, you can skip this step.

This part of the query points to a saved lookup and indicates how to connect it to geographic coordinate fields in the events. This example matches longitude and latitude information in the built-in geo_us_states lookup to the Lat and Lon fields in the events data.

The lookup query generates featureId and featureCollection fields for the events. A featureId is the name of a geographic feature that includes a particular set of geographic coordinates, such as a state or city name. By default, the featureCollection is the lookup definition name.

  • Note: Ensure that the lookup finds the correct fields in the source data by checking spelling and case closely. Fields are case-sensitive.

3) Use a transforming search.

stats count by featureId |

Aggregate the data using the lookup's geographic output field, featureId. If you did not need a lookup query, aggregate by the location name field already in the events data.

Check the available Selected Fields or Interesting Fields to ensure that featureId is listed. If it is not, then the lookup did not generate the featureId. Go back to the previous part of the query to ensure that the lookup is correctly matching the data's fields for geographic coordinates with its latitude and longitude coordinates.

If you are not creating a choropleth map, you can now select a visualization type and configure it accordingly. For a choropleth map, see the next step.

4) Use geom to build a choropleth map.

geom geo_us_states

If you are not building a choropleth map, you can skip this step.

After the transforming search aggregates data by featureId, the geom command works with a featureCollection parameter to generate the map. By default, the featureCollection parameter is the lookup being used.

Add the geom command and indicate the lookup name.

if you skipped the lookup step of the query because the events data already has featureId fields, use the lookup to which that featureId belongs. For example, if the data already includes state featureId fields, such as "California", then use the geo_us_states lookup with geom here.

For more information and advanced options for choropleth map queries, see geom in the Search Reference.

A complete Choropleth map query

The full query assembled in the previous steps looks like this.

source=my_data_source.csv | lookup geo_us_states longitude as Lon, latitude as Lat | stats count by featureId | geom geo_us_states

Once the components and query are in place, you can view and configure the Choropleth map.

Configuring choropleth maps

There are several options for choropleth map configuration. You can review and change settings by selecting the Format menu and then selecting General, Colors, Shapes, or Tiles.

General settings

You can adjust general settings including adding a Drilldown, initial geographic coordinates, and zoom on scroll here.

Color settings

Configure color settings

You can configure choropleth map color mode and other settings to change how the map displays your data. Aggregated data values are divided into a set of bins. Each bin corresponds to a specific range within your data. Depending on the color mode and total number of bins, an individual bin has a specific shade assigned to it. Bins, along with their colors and value ranges, appear in the legend to the right of the choropleth map.

To review and adjust color options, select Format > Colors. Here is an example of what you might see. 6.3.0 choropleth data bins color menu.png

You can change the color mode, the color associated with the maximum value range, and the number of bins. These options work together to set the shading of the choropleth map.

About Choropleth color modes

There are several options for how choropleth maps use color to show values across regions. As long as you have aggregated metrics that include latitude and longitude coordinates, you can choose from three available color modes.

  • When you have a metric that varies by category, you can use the categorical mode. This option can help you pick out regions that share the same category. For example, you might track top product purchases by state. If multiple states have the same top product, they share a color.
    6.3.0 choropleth categorical us states.png

  • You can use the sequential mode to color regions with different shades of a single hue. This option can help you find regions where a metric is particularly high.
    6.3.0 choropleth sequential us states.png

  • You can use the divergent mode to color regions in shades of two distinct hues to show how regions fall into a metric range. This also allows you to pick out regions where your metric is particular high or low. With this option, shading fades as regional metrics approach the middle of the range.
    6.3.0 choropleth screenshot divergent us states.png


You can adjust shape opacity and borders.


You can show or hide tiles, which represent the background features, such as oceans, of your map.

About Marker Maps

You can use the map visualization to plot geographic coordinates as interactive markers on a world map. Searches for map visualizations typically use the geostats search command to plot markers on a map. The geostats command is similar to the stats command, but provides options for zoom levels and cells for mapping. The geostats command generates events that include latitude and longitude coordinates for markers.

Viz ItalyMap3.png

Last modified on 23 September, 2015
Chart display issues
Dashboard tools and frameworks

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters