There are several options for representing data that includes geographic information.
Geographic data visualizations
Choropleth maps and other geographic visualizations can help you visualize data in place.
A Choropleth map uses shading to show relative metrics, such as population or election results, for predefined geographic regions. You can also create non-map geographic visualizations, such as a bar chart showing sales performance by city.
You can find information on components, queries, and configurations for Choropleth maps and non-map geographic visualizations in this topic. Marker maps are covered fully in the About Marker Maps section.
|To learn about||See|
||About data for geographic visualizations|
||Components for building geographic visualizations|
||How to build a geographic visualization query|
|An example choropleth map query||A complete Choropleth map query|
|Configuring Choropleth map colors and other settings||Configuring Choropleth maps|
|Building marker maps||About Marker Maps|
About data for geographic visualizations
Depending on the visualization you are building, you can use data that includes location names, such as "California", or signed degree geographic coordinates. A geographic visualization starts with location information from events. For maps, this location information requires additional processing in a query.
To get started, there a few considerations to make about the data you are using.
Data for Choropleth maps
Choropleth maps work best when data is normalized. Normalization adjusts your data to more accurately reflect the metric that you visualize. For example, a choropleth map can compare sales performance in two cities with very different populations. Using normalized data to generate this map means that the population difference alone does not determine how the cities' sales compare on the map.
Data for charts and other non-map geographic visualizations
To build a chart or other visualization that does not include a map, you can aggregate events by location name. If the events data already includes the appropriate location name information for the visualization, such as state names for a chart showing sales by state, then you can run a transforming query on the data as it is. No additional components or processing are necessary in this case.
If the events data does not include location name information, but has signed degree latitude and longitude coordinates, then some additional processing is needed in the query.
To learn about components and queries for any geographic visualization, see Components for building geographic visualizations and How to build a geographic visualization query. For general information on non-map visualizations, see the Visualization Reference.
Components for building geographic visualizations
There are a few items to put together for a choropleth map or non-map geographic visualization. Check the requirements listed here against your data to see how many components you need to assemble before running a query.
- Data with geographic coordinates
Geographic visualizations start with data that includes location information for each event. This data can come from several sources, including a sensor or forwarded data source.
You can use:
- Data with signed degree latitude and longitude coordinates.
- Data with location names that match the location names in a lookup.
- A KMZ lookup table file
A KMZ, or compressed Keyhole Markup Language, file defines region boundaries, such as the boundaries of each state in the United States. From the home page, select Settings > Lookups > Lookup table files to review available lookup table files.
You can use:
- Built-in KMZ files for the United States,
geo_us_states, and countries of the world,
- An uploaded KMZ file for other places. Upload the KMZ file to the Lookup table files manager page.
- Built-in KMZ files for the United States,
- A lookup definition
The lookup checks the data's location coordinates against the KMZ file. It matches coordinates to region definitions in the KMZ data. A
featureIdlocation is the default output field for a geospatial lookup. From the home page, select Settings > Lookups > Lookup definitions for available lookup definitions.
You can use:
- Built-in lookups for the United States and for world countries.
- A new lookup that you define to work with the KMZ file and data. This lookup must be marked as
featureId, a lookup must be in place to generate the choropleth map visualization.
To learn more about lookups, see About lookups and field actions in the Knowledge Manager manual.
After you have data with a featureId or you define a lookup, you can create a query for the geographic visualization.
How to build a geographic visualization query
A query coordinates data, a transforming search, and a geospatial lookup to build a choropleth map or other visualization.
Steps for building a query
Here is an example of assembling a geographic visualization query one step at a time. You can run each portion of the query as you build it to ensure that it is working correctly. Depending on the visualization you are creating and the components you have, some steps are optional.
1) Indicate an events data source.
Start with an events data source that has signed degree geographic coordinates or location name fields.
2) Set up a lookup query.
lookup geo_us_states longitude as Lon, latitude as Lat |
If the events data already includes location name or
featureId fields, you can skip this step.
This part of the query points to a saved lookup and indicates how to connect it to geographic coordinate fields in the events. This example matches longitude and latitude information in the built-in
geo_us_states lookup to the
Lon fields in the events data.
The lookup query generates
featureCollection fields for the events. A
featureId is the name of a geographic feature that includes a particular set of geographic coordinates, such as a state or city name. By default, the
featureCollection is the lookup definition name.
- Note: Ensure that the lookup finds the correct fields in the source data by checking spelling and case closely. Fields are case-sensitive.
3) Use a transforming search.
stats count by featureId |
Aggregate the data using the lookup's geographic output field,
featureId. If you did not need a lookup query, aggregate by the location name field already in the events data.
Check the available Selected Fields or Interesting Fields to ensure that
featureId is listed. If it is not, then the lookup did not generate the featureId. Go back to the previous part of the query to ensure that the lookup is correctly matching the data's fields for geographic coordinates with its
If you are not creating a choropleth map, you can now select a visualization type and configure it accordingly. For a choropleth map, see the next step.
geom to build a choropleth map.
If you are not building a choropleth map, you can skip this step.
After the transforming search aggregates data by featureId, the
geom command works with a featureCollection parameter to generate the map. By default, the featureCollection parameter is the lookup being used.
geom command and indicate the lookup name.
if you skipped the lookup step of the query because the events data already has
featureId fields, use the lookup to which that
featureId belongs. For example, if the data already includes state
featureId fields, such as "California", then use the
geo_us_states lookup with
For more information and advanced options for choropleth map queries, see
geom in the Search Reference.
A complete Choropleth map query
The full query assembled in the previous steps looks like this.
source=my_data_source.csv | lookup geo_us_states longitude as Lon, latitude as Lat | stats count by featureId | geom geo_us_states
Once the components and query are in place, you can view and configure the Choropleth map.
Configuring choropleth maps
There are several options for choropleth map configuration. You can review and change settings by selecting the Format menu and then selecting General, Colors, Shapes, or Tiles.
You can adjust general settings including adding a Drilldown, initial geographic coordinates, and zoom on scroll here.
Configure color settings
You can configure choropleth map color mode and other settings to change how the map displays your data. Aggregated data values are divided into a set of bins. Each bin corresponds to a specific range within your data. Depending on the color mode and total number of bins, an individual bin has a specific shade assigned to it. Bins, along with their colors and value ranges, appear in the legend to the right of the choropleth map.
You can change the color mode, the color associated with the maximum value range, and the number of bins. These options work together to set the shading of the choropleth map.
About Choropleth color modes
There are several options for how choropleth maps use color to show values across regions. As long as you have aggregated metrics that include latitude and longitude coordinates, you can choose from three available color modes.
When you have a metric that varies by category, you can use the categorical mode. This option can help you pick out regions that share the same category. For example, you might track top product purchases by state. If multiple states have the same top product, they share a color.
- You can use the sequential mode to color regions with different shades of a single hue. This option can help you find regions where a metric is particularly high.
- You can use the divergent mode to color regions in shades of two distinct hues to show how regions fall into a metric range. This also allows you to pick out regions where your metric is particular high or low. With this option, shading fades as regional metrics approach the middle of the range.
You can adjust shape opacity and borders.
You can show or hide tiles, which represent the background features, such as oceans, of your map.
About Marker Maps
You can use the map visualization to plot geographic coordinates as interactive markers on a world map. Searches for map visualizations typically use the
geostats search command to plot markers on a map. The
geostats command is similar to the
stats command, but provides options for zoom levels and cells for mapping. The
geostats command generates events that include latitude and longitude coordinates for markers.
Chart display issues
Dashboard tools and frameworks
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14