Generate a choropleth map
You can use a choropleth map to configure shading to show relative metrics, such as population or election results, for predefined geographic regions. For example, this image shows a map of the United States. States have lighter or darker shades of two different colors. One color represents low values for a particular metric. The darkest shading in this color represents the lowest values. The other color represents high values for the same metric. The darkest shading in this color represents the highest values. Shading fades as the values approach the middle of this range.
Geographic visualizations aggregate events by location. Location names might already be included in events. You can also use a search to generate locations from signed degree latitude and longitude coordinates in each event.
Choropleth maps have specific data and component requirements. A search uses the data and components to generate a choropleth map.
Working with map components and geographic data
Review the following component and data details before running a search.
Components for building geographic visualizations
These components are required for creating geographic visualizations.
|Data with geographic coordinates||Geographic visualizations start with data that includes location information for each event. This data can come from several sources, including a sensor or forwarded data source.||Either:
|Lookup table file||A lookup table file defines region boundaries, such as the boundaries of each state in the United States.
From the Search and Reporting home page, select Settings > Lookups > Lookup table files to review available files.
|Geospatial lookup||A geospatial lookup matches coordinates to region definitions in the lookup table file.
From the home page, select Settings > Lookups > Lookup definitions for available lookup definitions.
In order to use the default lookups in Splunk Enterprise, you must make sure they are available to the app, i.e. you must make sure they are available in a shared, rather than private place.
Use normalized data
Choropleth maps work best when data is normalized. Normalization adjusts data to more accurately reflect the metric that you are visualizing. For example, a choropleth map can compare sales performance in two cities with significantly different populations. Using normalized data to generate this map means that the population difference alone does not determine how the cities' sales compare on the map.
Test custom lookup files
If you are working with a custom lookup table file and geospatial lookup, you can use the
inputlookup command to make sure that they are working properly before building a choropleth map.
For more information, see Configure geospatial lookups in the Knowledge Manager Manual.
Create the search
You will need search coordinates data, a transforming search, and a geospatial lookup to build a choropleth map or other geographic visualization. The following steps show you how to create a choropleth map search. Optionally, you can use the steps to generate other visualizations for geographic data in Search & Reporting.
Run each portion of the search as you build it to ensure that it is working correctly. Depending on the visualization you are creating and the components that you have, some steps are optional.
- Indicate an events data source.
Start with an events data source that has signed degree geographic coordinates or location name fields. For example, here is one record in a .csv file listing retail locations for a business. This file includes latitude and longitude coordinates for each record.
Store Number,Name,Facility ID,Products,Services,Country,Latitude,Longitude 12345,Buttermilk Tea Shop,54321,"Tea, Cake",Wi-Fi,US,43.031873,-71.073203
- (Optional) Add a lookup.
lookup geo_us_states longitude as Longitude, latitude as Latitude |
The lookup uses the geographic coordinates to generate
featureCollectionfields for events. A
featureIdis the name of a geographic feature that includes a particular set of geographic coordinates, such as a state or city name. By default, the
featureCollectionis the lookup definition name.
After adding the lookup and running the search, check the available Selected Fields or Interesting Fields to ensure that
featureIdis listed. If it is not, then the lookup did not generate the
featureIdfrom the geographic coordinates. Fields are case-sensitive.
- Use a transforming command.
Use a transforming command such as
if you have source data. Aggregate the data using the lookup's geographic output field,
stats count by featureId
featureId. If you did not need a lookup, aggregate by the location name field already in the events data.
- (Optional) Select and configure a visualization.
You can use the search to generate non-map visualizations for geographic data. If you are not building a choropleth map, the search is complete. To format a choropleth map, see Format a choropleth map.
- Use the lookup to which those fields belong. For example, if events have US state names, use
- Indicate which events field should interpret as the
featureId. For example:
rename featureId as state
- State which fields to return. For example:
fields state, numb
The full search assembled in the previous steps looks like this.
| inputlookup geo_us_states
| stats count by featureId
| rename featureId as state
| fields state, numb
Generate a choropleth map
- Select the one of the choropleth maps by clicking the Add Chart button ( ) in the editing toolbar and either browsing through the available charts, or by using the search option.
There are three types of Choropleth maps available: A map of the US
viz.geojson.us, a world map
viz.choropleth.svg. To learn more about Choropleth SVG see Generate a choropleth map.
- Select the chart on your dashboard so that it's highlighted with the blue editing outline.
- (Optional) Set up a new data source by adding a query to the Search window.
- To choose an existing search, close the window and select the visualization. If the Configuration panel doesn't appear, click the Configuration button ( ) to bring up the Configuration panel and click +Setup Primary Data Source to choose an existing search.
Add a text box
Format a choropleth map
This documentation applies to the following versions of Splunk® Enterprise: 8.2.1, 8.2.2