Splunk® Enterprise

Dashboards and Visualizations

Splunk Enterprise version 8.2 is no longer supported as of September 30, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Generate a choropleth map

Geographic visualizations aggregate events by location. Location names might already be included in events. You can also use a search to generate locations from signed degree latitude and longitude coordinates in each event.

Choropleth maps have specific data and component requirements. A search uses the data and components to generate a choropleth map.

Working with map components and geographic data

Review the following component and data details before running a search.

Components for building geographic visualizations

These components are required for creating geographic visualizations.

Component Description Available options
Data with geographic coordinates Geographic visualizations start with data that includes location information for each event. This data can come from several sources, including a sensor or forwarded data source. Either:
  • Data with signed degree latitude and longitude coordinates.
  • Data with location names that match the location names in a lookup.
  • Data with IP address fields that can generate lat and lon fields using the iplocation command. For more information, see Use IP addresses to generate a choropleth map.
Lookup table file A lookup table file defines region boundaries, such as the boundaries of each state in the United States.

From the Search and Reporting home page, select Settings > Lookups > Lookup table files to review available files.
Either:
  • Built-in files for the United States, geo_us_states, and countries of the world, geo_countries.
  • Upload a KML or KMZ file for other places. Upload the file to the Lookup table files manager page.
Geospatial lookup A geospatial lookup matches coordinates to region definitions in the lookup table file.

From the home page, select Settings > Lookups > Lookup definitions for available lookup definitions.
Either:
  • Built-in lookups for the United States and for world countries.
  • Create a geospatial lookup. For more information, see Configure geospatial lookups in the Knowledge Manager Manual.

Use normalized data

Choropleth maps work best when data is normalized. Normalization adjusts data to more accurately reflect the metric that you are visualizing. For example, a choropleth map can compare sales performance in two cities with significantly different populations. Using normalized data to generate this map means that the population difference alone does not determine how the cities' sales compare on the map.

Test custom lookup files

If you are working with a custom lookup table file and geospatial lookup, you can use the inputlookup command to make sure that they are working properly before building a choropleth map.

For more information, see Configure geospatial lookups in the Knowledge Manager Manual.

Show all features on a map regardless of data coverage

If you have a data set that does not include values to aggregate for every feature in a choropleth map, you can use the geom command allFeatures parameter to show all shapes on the map when it renders.

For more information, see geom in the Search Reference.

Create the search

You will need search coordinates data, a transforming search, and a geospatial lookup to build a choropleth map or other geographic visualization. The following steps show you how to create a choropleth map search. Optionally, you can use the steps to generate other visualizations for geographic data.

Prerequisites
Make sure that you have the correct data and components for building a geographic visualization. See Components for building geographic visualizations.

Steps
Run each portion of the search as you build it to ensure that it is working correctly. Depending on the visualization you are creating and the components that you have, some steps are optional.

  1. Indicate an events data source.
    source=my_data.csv |
    Start with an events data source that has signed degree geographic coordinates or location name fields. For example, here is one record in a .csv file listing retail locations for a business. This file includes latitude and longitude coordinates for each record.
    Store Number,Name,Facility ID,Products,Services,Country,Latitude,Longitude
    12345,Buttermilk Tea Shop,54321,"Tea, Cake",Wi-Fi,US,43.031873,-71.073203
    

  2. (Optional) Add a lookup.
    lookup geo_us_states longitude as Longitude, latitude as Latitude |
    If the events data already includes location name or featureId fields, you can skip this step.

    The lookup uses the geographic coordinates to generate featureId and featureCollection fields for events. A featureId is the name of a geographic feature that includes a particular set of geographic coordinates, such as a state or city name. By default, the featureCollection is the lookup definition name.

    After adding the lookup and running the search, check the available Selected Fields or Interesting Fields to ensure that featureId is listed. If it is not, then the lookup did not generate the featureId from the geographic coordinates. Fields are case-sensitive.

  3. Use a transforming command.
    stats count by featureId |
    Aggregate the data using the lookup's geographic output field, featureId. If you did not need a lookup, aggregate by the location name field already in the events data.

  4. (Optional) Select and configure a visualization.
    You can use the search to generate non-map visualizations for geographic data. If you are not building a choropleth map, the search is complete. Use the Visualization Picker to select a visualization type. Use the Format menu to configure it.

  5. (Optional) Use geom to complete the choropleth map search.
    If you are building a choropleth map, add the geom command and pass in the lookup name for the featureCollection parameter.

    Depending on whether the events include a featureId field, select one of the following options.
    Events have Next steps Example
    featureId fields
    1. Use the lookup to which those fields belong.
    geom geo_us_states 
    Location names, no featureId field. This might be the case if you skipped the lookup earlier.
    1. Use a lookup that contains the location names. For example, if events have US state names, use geo_us_states.

    2. Indicate which events field geom should interpret as the featureIdfield.
    geom geo_us_states featureIdField="State"


For more information and advanced options for choropleth map queries, see geom in the Search Reference.

Example search

The full search assembled in the previous steps looks like this.

source=my_data_source.csv | lookup geo_us_states longitude as Longitude, latitude as Latitude | stats count by featureId | geom geo_us_states

Last modified on 14 February, 2022
Mapping data   Configure a choropleth map

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 8.1.10, 8.1.12, 8.1.13, 8.1.14


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters