Splunk® Enterprise

Splunk Dashboard Studio

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Maps

Use a map to visualize geospatial data on a map area of your choice. Geospatial data combines your data sets with coordinates on Earth to visually represent quantities and spread across locations.

A map showing several different world continents. Purple colored markers cluster in different regions.

Generate a map

  1. Select the map visualization using the visual editor by clicking the Add Chart button (A bar graph as an icon.) in the editing toolbar and browsing through the available charts, or by using the search option.
  2. Select the map on your dashboard to highlight it with the blue editing outline.
  3. Set up a new data source by adding a search to the Search with SPL window.
    1. Maps with marker clusters use the SPL table command.
    2. Maps with bubble clusters use the SPL geostats command.
    3. For example, the following are two different searches. The first is a search for marker layers and the second is a search for bubble layers.
    | inputlookup geomaps_data.csv
    | iplocation device_ip
    | table bytes device_ip lat lon
    
    | inputlookup geomaps_data.csv
    | iplocation device_ip
    | geostats latfield=lat longfield=lon count by method
    
  4. To select an existing data source, close the Configuration panel and reopen it. In the Data Configurations section, click +Setup Primary Data Source and click + Create Ad hoc Search to create a new search from this window. You can also choose a new ID that describes the search better than the default.

Configuration panel options

You can use the Configuration panel to configure the following map components.

Title

Give your visualization a name. The title name is also helpful when searching for individual visualizations in the dashboard definitions and is not the same as the automatically assigned unique ID.

Description

Give your visualization a description to explain what the user is viewing.

Data Configurations

Choose an existing search or create a new one.

Position & Size

You can use your mouse or the Position & Size section of the Configuration panel to change the size or location of the visualization for pixel-perfect sizing and placement.

Data Layer Formatting
Select the map's layer type.

  • The Marker layer type uses map pins to visualize data and clusters.
    • Click the Latitude dropdown to select the data source for the visualization's latitude.
    • Click the Longitude dropdown to select the data source for the visualization's longitude.
  • The Bubble layer type uses differently sized circles or pie charts to visualize data and clusters.
    • Click the Latitude dropdown to select the data source for the visualization's latitude.
    • Click the Longitude dropdown to select the data source for the visualization's longitude.
    • Click the Size dropdown to select the visualization's bubble size data source.

Drilldown
Use drilldown to create interactivity with the different map layers. For example, with drilldown, users can click on a bubble to set a token which you can use to open a secondary search using the clicked values. For more details about setting tokens, see Setting tokens on a visualization click.

Code
Select your visualization or its search to view and edit the source code in real-time. You can also change the Visualization ID to a more readable ID to help identify this visualization in the source code.

Marker map example

The following marker map example uses colorRangeConfig to create differently colored marker clusters to demonstrate a range of HTTP requests across geographical regions. Red indicates a high number of requests, yellow shows a medium level, and green indicates a low level.

A map showing several different world continents. Yellow, pink, and green colored markers cluster in different regions.

Source code

The following is the source code for the marker map example.

{
	"visualizations": {
		"viz_marker_cluster": {
			"type": "splunk.map",
			"options": {
				"center": [
					37.7749,
					-122.4195
				],
				"zoom": 0,
				"layers": [
					{
						"type": "marker",
						"latitude": "> primary | seriesByName(\"lat\")",
						"longitude": "> primary | seriesByName(\"lon\")",
						"dataColors": "> primary | seriesByName(\"bytes\") | rangeValue(colorRangeConfig)"
					}
				]
			},
			"context": {
				"colorRangeConfig": [
					{
						"from": 3000,
						"value": "#de1d20"
					},
					{
						"from": 2000,
						"to": 3000,
						"value": "#de1d20"
					},
					{
						"from": 100,
						"to": 2000,
						"value": "#ded41d"
					},
					{
						"to": 1000,
						"value": "#4ade1d"
					}
				]
			},
			"dataSources": {
				"primary": "ds_x7YkfW2Y"
			}
		},
"dataSources": {
		"ds_x7YkfW2Y": {
			"type": "ds.search",
			"options": {
				"query": "| inputlookup geomaps_data.csv\n| iplocation device_ip\n| table bytes device_ip lat lon"
			},
			"name": "Search_1"
		},
		"ds_TMfPIhsl": {
			"type": "ds.search",
			"options": {
				"query": "| inputlookup geomaps_data.csv\n| iplocation device_ip\n| table bytes device_ip lat lon"
			},
			"name": "Search_2"
		},
		"ds_4QzeZfAB": {
			"type": "ds.search",
			"options": {
				"query": "| inputlookup geomaps_data.csv\n| iplocation device_ip\n| geostats latfield=lat longfield=lon count"
			},
			"name": "Search_3"
		},
		"ds_DHERK2tc": {
			"type": "ds.search",
			"options": {
				"query": "| inputlookup geomaps_data.csv\n| iplocation device_ip\n| geostats latfield=lat longfield=lon count by method"
			},
			"name": "Search_4"
		}
	},
	"defaults": {
		"dataSources": {
			"ds.search": {
				"options": {
					"queryParameters": {
						"latest": "$global_time.latest$",
						"earliest": "$global_time.earliest$"
					}
				}
			}
		}
	},
	"inputs": {
		"input_global_trp": {
			"type": "input.timerange",
			"options": {
				"token": "global_time",
				"defaultValue": "-24h@h,now"
			},
			"title": "Global Time Range"
		}
	},
	"layout": {
		"type": "absolute",
		"options": {
			"display": "auto-scale"
		},
		"structure": [
			{
				"item": "viz_marker_cluster",
				"type": "block",
				"position": {
					"x": 40,
					"y": 560,
					"w": 490,
					"h": 300
				}
			},
		],
		"globalInputs": [
			"input_global_trp"
		]
	},
	"description": "",
	"title": "Marker Cluster Map example"
}

Bubble map example

The following bubble map example uses bubble clusters to demonstrate the type and number of HTTP requests in different geographic regions.

A map of different world continents. Pie charts of different sizes are scattered in different regions of the map. Purple portions of the charts represent GET requests and blue portions of the charts represent POST requests.

Source code

The following is the source code for the bubble map example.

{
   "visualizations": {
       "viz_bubble_cluster": {
           "type": "splunk.map",
           "options": {
                "layers": [
		    {
		        "type": "bubble"
		    }
		]
           },
           "dataSources": {
               "primary": "ds_DHERK2tc"
           }
       }
   },
   "dataSources": {
       "ds_x7YkfW2Y": {
           "type": "ds.search",
           "options": {
               "query": "| inputlookup geomaps_data.csv\n| iplocation device_ip\n| table bytes device_ip lat lon"
           },
           "name": "Search_1"
       },
       "ds_TMfPIhsl": {
           "type": "ds.search",
           "options": {
               "query": "| inputlookup geomaps_data.csv\n| iplocation device_ip\n| table bytes device_ip lat lon"
           },
           "name": "Search_2"
       },
       "ds_4QzeZfAB": {
           "type": "ds.search",
           "options": {
               "query": "| inputlookup geomaps_data.csv\n| iplocation device_ip\n| geostats latfield=lat longfield=lon count"
           },
           "name": "Search_3"
       },
       "ds_DHERK2tc": {
           "type": "ds.search",
           "options": {
               "query": "| inputlookup geomaps_data.csv\n| iplocation device_ip\n| geostats latfield=lat longfield=lon count by method"
           },
           "name": "Search_4"
       }
   },
   "defaults": {
       "dataSources": {
           "ds.search": {
               "options": {
                   "queryParameters": {
                       "latest": "$global_time.latest$",
                       "earliest": "$global_time.earliest$"
                   }
               }
           }
       }
   },
   "inputs": {
       "input_global_trp": {
           "type": "input.timerange",
           "options": {
               "token": "global_time",
               "defaultValue": "-24h@h,now"
           },
           "title": "Global Time Range"
       }
   },
   "layout": {
       "type": "absolute",
       "options": {
           "display": "auto-scale"
       },
       "structure": [
           {
               "item": "viz_bubble_cluster",
               "type": "block",
               "position": {
                   "x": 20,
                   "y": 20,
                   "w": 940,
                   "h": 490
               }
           }
       ],
       "globalInputs": [
           "input_global_trp"
       ]
   },
   "description": "",
   "title": "Bubble cluster example"

Source options for maps

The following options are available for editing maps in the source editor.

Property Type Default Description
backgroundColor string > themes.defaultBackgroundColor Specify the color for the background. You can use a data source or hexadecimal code to apply the color.
center number n/a Specify the map's center using latitude and longitude. The center might automatically set or result in [0,0] coordinates depending on available data.
layers object[] [object Object],[object Object] Specify the data visualization layers on top of the base map. The layer can also be empty and only show the base map.
scaleUnit ("metric" | "imperial") metric Specify which scale unit to use.
showScale boolean TRUE Specify whether to show the scale on the bottom left.
baseLayerTileServer string n/a Specify the tile set URL for the base map. For example, you might use street tiles for a neighborhood map or terrain tiles for a mountain range map.
baseLayerTileServerType ("vector" | "raster") n/a Specify the type of tile set for the base map. Valid types include "vector" and "raster".
zoom number n/a Specify the zoom level of the map.

layers (object type)

The following are nested options that you can set in the layers section of the visualization stanza.

Property Type Default Description
type ("marker" | "bubble") bubble Specify the type of data layer method to display points on the map. For example, "bubble" or "marker".
bubbleSize (string | array) frameBySeriesTypes("number") Specify the data column to encode bubble size. This applies to layers where the type is "bubble".
latitude (string | array) > primary | seriesByName("latitude") Specify a data source to apply latitude coordinates for data points displayed on the map.
longitude (string | array) > primary | seriesByName("longitude") Specify a data source to apply longitude coordinates for data points displayed on the map.
dataColors (string | array) n/a seriesByName("status") | matchValue(colorMatchConfig)".
seriesColors string[] ["#7B56DB", "#009CEB", "#00CDAF", "#DD9900", "#FF677B", "#CB2196", "#813193", "#0051B5", "#008C80", "#99B100", "#FFA476", "#FF6ACE", "#AE8CFF", "#00689D", "#00490A", "#465D00", "#9D6300", "#F6540B", "#FF969E", "#E47BFE"] Specify the colors used for data points. If the dataColors option is specified, the seriesColors option is ignored.
resultLimit number 1000 Specify the maximum number of data points to render on the map.
Last modified on 03 January, 2023
Link graphs   Parallel coordinates

This documentation applies to the following versions of Splunk® Enterprise: 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters