Splunk® Enterprise

Dashboards and Visualizations

Acrobat logo Download manual as PDF

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Generate a choropleth map

To create a choropleth map, aggregate your data to create a table with one row per feature, or polygon, in the geographic feature collection you're using to draw the geospatial boundaries on the map. The color shading on each polygon in the map represents its aggregate value.


Create a choropleth statistics table

Use the Splunk Search Processing Language (SPL) to create a table that contains aggregations corresponding to polygon names. In this case, we're mapping California by county, so you need a table with one row for each county in California.

  1. Navigate to the Search & Reporting app.
  2. Type the following into the search bar to restrict the year to 2018 and state to CA so that your table includes only the data you want to map.

    source="us_drought_monitor.csv" State = CA date_year=2018

  3. Add the following to the search to remove the word "County" from the County field so that it matches the featureId field in the lookup.

    | rex field=County "(?<County>.+) County"

  4. Add the following to calculate an aggregate drought score to synthesize the four drought severity categories into one value you can map. See the Drought Severity and Coverage Index page of the USDM website for more information about this aggregate value.

    | eval droughtscore = D1 + D2*2 + D3*3 + D4*4

  5. Add the following to aggregate the weekly drought scores to generate a table with one row per county.

    | stats avg(droughtscore) as "2018 Drought Score" by County

    Averaging the data using avg() helps normalize the data and tighten the range over which the color bins are spread. Using sum() or max() to aggregate the data instead would result in a larger spread, making the bin-widths larger and generating a less informative map.

  6. Add the following to your search to associate the polygons in your geospatial lookup file with the corresponding county row using the geom command.

    | geom ca_county_lookup featureIdField=County

Putting the whole search together, it looks like the following (the search will eventualy require an index and a time range of All Time):

source="us_drought_monitor.csv" State = CA date_year=2018 | rex field=County "(?<County>.+) County" | eval droughtscore = D1 + D2*2 + D3*3 + D4*4 | stats avg(droughtscore) as "2018 Drought Score" by County | geom ca_county_lookup featureIdField=County

The results appear in the Statistics tab, and include the following:

  • A County column, which serves as the featureId. In choropleth maps, each polygon is known as a feature, and its unique name is called the featureId.
  • A 2018 Drought Score column, which is the value shaded in the choropleth map.
  • A featureCollection column, which indicates the geographic feature collection from which the geom command retrieved the polygon boundaries.
  • A geom column, which contains the geographic polygon coordinates.

The statistics table looks like the following example:

County 2018 Drought Score featureCollection geom
Alameda 16.037 ca_county_lookup {"type":"MultiPolygon","coordinates":[[[[-122.31109619140625, 37.8634033203125],[-122.31109619140625, 37.8634033203125]]]]}
Alpine 0 ca_county_lookup {"type":"MultiPolygon","coordinates":[[[[-119.93537902832031, 38.8084831237793],[-119.93537902832031, 38.8084831237793]]]]}
Butte 23.843 ca_county_lookup {"type":"MultiPolygon","coordinates":[[[[-121.63543701171875, 40.000885009765625],[-121.63543701171875, 40.000885009765625]]]]}
Calaveras 3.614 ca_county_lookup {"type":"MultiPolygon","coordinates":[[[[-120.21088409423828, 38.500003814697266],[-120.21088409423828, 38.500003814697266]]]]}

Generate and configure your choropleth map

Follow these steps to transform your table into an informative choropleth map:

  1. Select the Visualization tab below the search bar.
  2. Ensure the visualization type is set to Choropleth Map. If not, select the name of the current visualization type and choose Choropleth Map under Recommended.
  3. Zoom to California to view your map by clicking the + button or double-clicking the map.
  4. (Optional) Increase the number of bins to create a more informative visualization.
    1. Click Format > Colors.
    2. Under Number of Bins, select a higher number such as 8 or 9. Using more bins increases the number of shades representing groups of drought score values and reflects more subtle differences between counties.
  5. (Optional) To preserve your zoom settings for the next time you run the search, select Populate with current map settings under General.
  6. Save your map to a dashboard.
    1. Select Save As > Dashboard Panel.
    2. Under Dashboard, select New.
    3. Under Dashboard Title, enter CA Drought Monitor.
    4. Under Panel Title, enter Drought score by county.
    5. Under Panel Content, select Choropleth Map.
    6. Click Save.

The finished product is the following choropleth map that demonstrates the severity of drought conditions by California county in 2018:

Screenshot of finished choropleth map of California drought severity by county in 2018

To zoom in further and inspect a specific subregion of California, select Tiles > Populate from preset configuration > Open Street Map to change the background layer to a more detailed map.

Next step

(Optional) Use Trellis view to visualize multiple aggregate functions

Last modified on 18 December, 2019
Create a new geospatial lookup
(Optional) Use Trellis view to visualize multiple aggregate functions

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.1.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters