Splunk® Enterprise

Dashboards and Visualizations

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Mapping data

There are several options for visualizing data that includes geographic information.

 This image shows a map of the United States. States have lighter or darker shades of two different colors. One color represents low values for a particular metric. The darkest shading in this color represents the lowest values. The other color represents high values for the same metric. The darkest shading in this color represents the highest values. Shading fades as the values approach the middle of this range.

A Choropleth map uses shading to show relative metrics, such as population or election results, for predefined geographic regions. You can also create other visualizations with geographic data, such as a bar chart showing sales performance by city.

You can find information on creating Choropleth maps and non-map geographic visualizations in this topic. Marker maps are covered fully in the Marker Maps section.


To learn about See
  • Data requirements
  • How to ensure data is represented properly on a Choropleth map
Data for geographic visualizations
Files and components for Choropleth maps and other geographic visualizations Components for building geographic visualizations
  • How to build a Choropleth map query step by step
  • How to build a non-map geographic visualization query step by step
  • How a geographic visualization query works
  • Whether you can skip any parts of the query depending on the data source or the visualization you are building
Build a geographic visualization query
An example choropleth map query A complete Choropleth map query
  • Creating geospatial lookups
  • How geospatial lookups work
Configure geospatial lookups in the Knowledge Manager Manual
Configuring Choropleth map colors and other settings Configuring Choropleth map settings
Building marker maps Marker Maps

Data for geographic visualizations

Geographic visualizations aggregate events by location. Location names might already be included in events. You can also use a query to generate locations from signed degree latitude and longitude coordinates in each event.

Normalize data for Choropleth maps

Choropleth maps work best when data is normalized. Normalization adjusts your data to more accurately reflect the metric that you visualize. For example, a Choropleth map can compare sales performance in two cities with significantly different populations. Using normalized data to generate this map means that the population difference alone does not determine how the cities' sales compare on the map.

For more information about data requirements and using a query to generate locations for events, see


Components for building geographic visualizations

These components are required for creating geographic visualizations. Check the following table before running a query.


Component Description Available options
Data with geographic coordinates Geographic visualizations start with data that includes location information for each event. This data can come from several sources, including a sensor or forwarded data source. Either:
  • Data with signed degree latitude and longitude coordinates.
  • Data with location names that match the location names in a lookup.
Lookup table file A lookup table file defines region boundaries, such as the boundaries of each state in the United States.

From the Search and Reporting home page, select Settings > Lookups > Lookup table files to review available files.
Either:
  • Built-in files for the United States, geo_us_states, and countries of the world, geo_countries.
  • Upload a KML or KMZ file for other places. Upload the file to the Lookup table files manager page.
Geospatial lookup A geospatial lookup matches coordinates to region definitions in the lookup table file.

From the home page, select Settings > Lookups > Lookup definitions for available lookup definitions.
Either:
  • Built-in lookups for the United States and for world countries.
  • Create a geospatial lookup. For more information, see Configure geospatial lookups in the Knowledge Manager Manual.


Build a geographic visualization query

A query coordinates data, a transforming search, and a geospatial lookup to build a Choropleth map or other geographic visualization.

Prerequisites
(Optional) Review the following requirements.


Steps for building a search

Here are the steps for building a geographic visualization query. Run each portion of the query as you build it to ensure that it is working correctly. Depending on the geographic visualization you are creating and the components that you have, some steps are optional.

  1. Indicate an events data source.
    source=my_data.csv |
    Start with an events data source that has signed degree geographic coordinates or location name fields. For example, here is one record in a .csv file listing retail locations for a business. This file includes latitude and longitude coordinates for each record.
    Store Number,Name,Facility ID,Products,Services,Country,Latitude,Longitude
    12345,Buttermilk Tea Shop,54321,"Tea, Cake",Wi-Fi,US,43.031873,-71.073203
    

  2. (Optional) Add a lookup query.
    lookup geo_us_states longitude as Longitude, latitude as Latitude |
    If the events data already includes location name or featureId fields, you can skip this step.

    The lookup query uses the geographic coordinates to generate featureId and featureCollection fields for events. A featureId is the name of a geographic feature that includes a particular set of geographic coordinates, such as a state or city name. By default, the featureCollection is the lookup definition name.

    After adding the lookup query and running the search, check the available Selected Fields or Interesting Fields to ensure that featureId is listed. If it is not, then the lookup did not generate the featureId from the geographic coordinates. Fields are case-sensitive.

  3. Use a transforming search.
    stats count by featureId |
    Aggregate the data using the lookup's geographic output field, featureId. If you did not need a lookup query, aggregate by the location name field already in the events data.

  4. (Optional) Select and configure a visualization.
    If you are not building a Choropleth map, the query is complete. Use the Visualization Picker to select a visualization type. Use the Format menu to configure it.

  5. (Optional) Use geom to complete the Choropleth map query.
    If you are building a Choropleth map, add the geom command and pass in the lookup name for the featureCollection parameter.

    Depending on whether the events include a featureId field, select one of the following options.
    Events have Next steps Example
    featureId fields
    1. Use the lookup to which those fields belong.
    geom geo_us_states 
    Location names, no featureId field. This might be the case if you skipped the lookup query earlier.
    1. Use a lookup that contains the location names. For example, if events have US state names, use geo_us_states.

    2. Indicate which events field geom should interpret as the featureIdfield.
    geom geo_us_states featureIdField="State"


For more information and advanced options for Choropleth map queries, see geom in the Search Reference.


A complete Choropleth map query

The full query assembled in the previous steps looks like this.

source=my_data_source.csv | lookup geo_us_states longitude as Longitude, latitude as Latitude | stats count by featureId | geom geo_us_states

Configuring Choropleth map settings

To review or change Choropleth map configuration, select the Format menu and one of the following settings panels.

General

Adjust general settings including drilldown, initial geographic coordinates, and zoom on scroll.

Colors

Color mode and data bin settings determine how a Choropleth map uses color to visualize data. Select a color mode and configure data bins in the Colors panel.


Color modes

Color mode Description and use cases Example
Categorical Color regions by category value. For example, you can track top product purchases by state. If multiple states have the same top product, they share a color.
 This image shows a map of the United States. States are shown in different colors depending on the top product value.
Sequential Color regions with light to dark shades of a single hue. This mode helps you find regions where a metric is particularly high.  This image shows a map of the United States. States have different shades of the same hue or color. Some states have light shading, some have medium shading, and others have dark shading. The darkest shades represent the highest values for the metric being tracked.
Divergent Color regions in light to dark shades of two distinct hues. This mode shows regions where a metric is particular high or low. Shading fades as regional metrics approach the middle of the range.  This image shows a map of the United States. States have lighter or darker shades of two different colors. One color represents low values for a particular metric. The darkest shading in this color represents the lowest values. The other color represents high values for the same metric. The darkest shading in this color represents the highest values. Shading fades as the values approach the middle of this range.

Data bins

Aggregated data values are divided into a set of bins. Each bin corresponds to a specific value range and has a unique color or shade. You can adjust the number of bins and bin color assignments for the selected color mode.

The Choropleth map legend to the right of the map shows bins with their colors and value ranges.

Shapes

A shape corresponds to an individual region on a Choropleth map. For example, each state in a Choropleth map of the United States is a shape. You can adjust shape opacity and borders.

Tiles

Tiles represent map background features, such as oceans. Show or hide tiles.


Marker Maps

You can use the map visualization to plot geographic coordinates as interactive markers on a world map. Searches for map visualizations typically use the geostats search command to plot markers on a map. The geostats command is similar to the stats command, but provides options for zoom levels and cells for mapping. The geostats command generates events that include latitude and longitude coordinates for markers.


Viz ItalyMap3.png

PREVIOUS
Chart display issues
  NEXT
Dashboard tools and frameworks

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters