Configure geospatial lookups

Splunk Cloud users must use Splunk Web to define lookups. See define a geospatial lookup in Splunk Web. If your Splunk Cloud deployment is a managed deployment, you must request a restart from Splunk Support after uploading lookup files, to make newly uploaded files appear in the list of files available for defining lookups.

Use geospatial lookups to create queries that return results that Splunk software can use to generate a choropleth map visualization. Choropleth maps cannot be rendered without the data generated by corresponding geospatial lookups.

A geospatial lookup matches location coordinates in your events to location coordinate ranges in a geographic feature collection known as a Keyhole Markup Zipped (KMZ) or Keyhole Markup Language (KML) file and outputs fields to your events that provide corresponding geographic feature information that is encoded in the feature collection. This information represents a geographic region that shares borders with geographic regions of the same type, such as a country, state, province, or county.

Splunk provides two geospatial lookups for the United States and for world countries, enabling you to render choropleth maps of:

• The USA, divided up into state regions.
• The world, divided up into countries.

This topic shows you how to create additional geospatial lookups that break up choropleth maps into other types of regions (counties, provinces, timezones, and so on).

For more information about choropleth maps and geographic data visualizations, see Mapping data, in the Dashboards and Visualizations manual.

For information on using an existing kmz file as a lookup, see the geom command in the Search Reference manual.

For more information on creating a choropleth map, see Generate a Choropleth map in the Dashboards and Visualizations manual.

The FeatureId and featureCollection fields

Geospatial lookups differ from other lookup types, because geospatial lookups are designed to always output these two fields: featureId and featureCollection. The featureId is the "name" of the feature, like "California" or "CA" or whatever is encoded in the feature collection. The featureCollection field provides the name of the lookup in which the feature was found.

If you pipe the output of a geospatial lookup directly into a geom command, the command does not need to be given the lookup name. The geom command detects the featureId and featureCollection fields in the event and uses the lookup to generate the geographic data structures that the Splunk software requires to generate a choropleth map. However, be aware that geographic data structures can be large; so it is strongly discouraged to pipe events into the geom command, as geographic data structures will be attached to every event. Instead, you should first perform stats on the results of your geographic lookup, and only perform geom on a "boiled down" aggregated statistic like count by featureId.

Define a geospatial lookup stanza in transforms.conf

The geospatial lookup stanza provides the location of the geographic feature collection to be used as a lookup table. It can optionally include:

• a feature_id_element attribute.
• field matching rules.
• rules for time-bounded lookups.

See the geospatial lookup stanza format for details.

If you want a geospatial lookup to be available globally, add its lookup stanza to the version of transforms.conf in $SPLUNK_HOME/etc/system/local/. If you want the lookup to be specific to a particular app, add its stanza to the version of transforms.conf in $SPLUNK_HOME/etc/apps/<app_name>/local/.

Caution: Do not edit configuration files in $SPLUNK_HOME/etc/system/default.

The geospatial lookup stanza format

When you create a geospatial lookup definition, follow this format.

[<lookup_name>]
external_type = geo
filename = <name_of_KMZ_file>
feature_id_element = <XPath_expression>

• [<lookup_name>] is the name of the lookup.
• external_type should be set to geo if you are defining a geospatial lookup.
• filename is the name of the KMZ file that you are using. KMZ files are also referred to as "geographic feature collections."
  • Two feature collections are provided: geo_us_states for the United States, and geo_countries for the countries of the world.
  • You can optionally upload geographic feature collections for other regions and feature types, such as US counties or European provinces.
• feature_id_element is an optional attribute. It is an XPath expression that defines a path from a Polygon element in the KML file to some other XML element or attribute that contains the name of the feature. Splunk software calls these Polygon elements a "feature". This is needed in cases where the typical style of named Placemark element is not in use.
  • feature_id_element may be required in cases where the featureID field generated by the lookup is an empty string, or when the feature collection returns incorrect features by default. In the latter case the feature that you want may be a peer of the default feature or is located relative to the default feature.
  • To determine what path you need, study the geographic feature collection. Each feature in the collection is tagged with Placemark, and each Placemark contains a name that the lookup writes out as featureId fields. For an example, see feature_id_element.
  • The default setting for feature_id_element is /Placemark/name.

XPath and feature_id_element example

The following is an example Placemark element extracted from a KML file.

<Placemark>
<name>Bayview Park</name>
<visibility>0</visibility>
<styleUrl>#msn_ylw-pushpin15</styleUrl>
<Polygon>
<tessellate>1</tessellate>
<outerBoundaryIs>
<LinearRing>
<coordinates>
-122.3910323868129,37.70819686392956,0 -122.3902274700583,37.71036559447013,0 -122.3885849520798,37.71048623150828,0 -122.38693857563,37.71105170319798,0 -122.3871609118563,37.71133850017815,0 -122.3878019922009,37.71211354629052,0 -122.3879259342663,37.7124647025671,0 -122.3880447162415,37.71294302956619,0 -122.3881688500638,37.71332710079798,0 -122.3883793249067,37.71393746998403,0 -122.3885493512011,37.71421419664032,0 -122.3889255249081,37.71472750657607,0 -122.3887475583787,37.71471048572742,0 -122.3908349856662,37.71698679132378,0 -122.3910091960123,37.71714685034637,0 -122.3935812625442,37.71844151854729,0 -122.3937942835165,37.71824640920892,0 -122.3943907534492,37.71841931125917,0 -122.3946363652554,37.71820562249533,0 -122.3945665820268,37.71790603321808,0 -122.3949430786581,37.71764553372926,0 -122.3953167478058,37.71742547689517,0 -122.3958076264322,37.71693521458138,0 -122.3960283880498,37.7166859403894,0 -122.3987339294558,37.71607634724589,0 -122.3964526840739,37.71310454861037,0 -122.396237742007,37.71265453835174,0 -122.3959650878797,37.7123218368849,0 -122.3955644372275,37.71122536767665,0 -122.3949262649838,37.7082082656386,0 -122.3910323868129,37.70819686392956,0 
</coordinates>
</LinearRing>
</outerBoundaryIs>
</Polygon>
</Placemark>

The Placemark element contains both a name element and a Polygon element. A Placemark can have multiple Polygons. Placemark associates a name to a set of Polygons, called a "feature." However, different KML files may organize their data differently, so we need to tell Splunk software where to find the name, relative to the Placemark element. We can do this with the feature_id_element configuration. By default, feature_id_element contains the XPath expression /Placemark/name.

Let's take a look at another Placemark element extracted from a KML file.

<Placemark> 
<name>MyFeature</name>
<ExtendedData> 
<SchemaData> 
<SimpleData name="placename">foo</SimpleData> 
<SimpleData name="bar">baz</SimpleData> 
</SchemaData> 
...

The XPath expression for this Placemark fragment would be feature_id_element=/Placemark/ExtendedData/SchemaData/SimpleData[@name='placename']).

Configure a geospatial lookup

Prerequisities

• See about lookups and field actions for more information on lookups.
• See Add field matching rules to your lookup configuration for information on field/value matching rules.
• See Make your lookup automatic for information on configuring an automatic lookup.
• For information on generating a choropleth map, see Choropleth maps in the Dashboards and Visualizations manual.

Steps

1. (Optional) Upload a geographic feature collection to your Splunk deployment, if you need to use a collection other than geo_us_states or geo_countries.

   Geographic feature collections are encoded as KMZ (Keyhole Markup Language) files.

   Upload the feature collection in Settings. Navigate to Settings > Lookups > Lookup table files.

   If you have a KML file, you can convert it to a KMZ file by compressing it and replacing the .zip extension with .kmz.

2. Create a geospatial lookup stanza in transforms.conf, following the stanza format described in "The geospatial lookup stanza format," above.

   If you want the lookup to be available globally, add its lookup stanza to the version of transforms.conf in $SPLUNK_HOME/etc/system/local/. If you want the lookup to be specific to a particular app, add its stanza to the version of transforms.conf in $SPLUNK_HOME/etc/apps/<app_name>/local/.

   Caution: Do not edit configuration files in $SPLUNK_HOME/etc/system/default.

3. (Optional) Set up field/value matching rules for the geospatial lookup.
4. (Optional) Make the geospatial lookup an automatic lookup by adding a configuration to props.conf.

   If you want the automatic lookup to be available globally, add its lookup stanza to the version of props.conf in $SPLUNK_HOME/etc/system/local/. If you want the lookup to be specific to a particular app, add its stanza to the version of props.conf in $SPLUNK_HOME/etc/apps/<app_name>/local/.

   Caution: Do not edit configuration files in $SPLUNK_HOME/etc/system/default.

5. Save your .conf file changes.
6. Restart Splunk Enterprise to implement your changes.

   If you have set up an automatic lookup, after restart you should see the output fields from your lookup table listed in the fields sidebar. From there, you can select the fields to display in each of the matching search results.

Search commands and geospatial lookups

After you save a geospatial lookup stanza and restart Splunk Enterprise, you can interact with the new geospatial lookup through search commands like inputlookup or geom. This example uses the default geo_us_states lookup and the search command inputlookup to quickly check the featureIds of your geospatial lookup or show all geographic features on a Choropleth map visualization.

Prerequisites

• A geospatial lookup, see above.
• See inputlookup in the Search Reference manual for more information on the inputlookup command.
• See geom in the Search Reference manual for more information on the geom command.

Steps:

1. From the Search and Reporting app, use the inputlookup command to search on the contents of your geospatial lookup.

| inputlookup geo_us_states

2. Check to make sure that your featureIds are in the lookup with the featureId column.
3. Click on the Visualization tab.
4. Click on Cluster Map and select Chloropleth Map for your visualization.

A choropleth map displaying the featureIds of your geospatial lookup appears. For more information on choropleth maps, see Generate a choropleth map in the Dashboards and Visualizations manual.

Geospatial lookup example

Here is a geospatial lookup called geo_us_states. It is located in $SPLUNK_HOME/etc/apps/search/lookups.

[geo_us_states]
external_type=geo
filename=geo_us_states.kmz

This lookup deals with a geographic feature collection that contains US states.

To use this lookup to build a choropleth map, you need to create a search that queries it in a manner that returns results that can be used to generate the map. The search needs to do all of these things:

• Indicate an events data source.
• Query the lookup by matching fields in your events to fields in the KMZ file.
• Include a transforming command that aggregates the data using featureId, the lookup's geographic output field.
• Use the geom search command to generate data that can be used to create a choropleth map.

This is a partial choropleth map query. It meets the first two of the four requirements listed above for a choropleth map lookup search. It returns the latitude and longitude for features in the feature collection.

sourcetype=crime_data cc=USA | lookup geo_us_states latitude, longitude

The output of that lookup should look something like this:

You can update this search to display results for the geom command. Note that the geom command should be preceded by a transforming command operation, such as this one involving count.

This is a full choropleth map query. It retrieves crime event counts by US state and adds the geometry of each state as a geom column.

sourcetype=crime_data cc=USA | lookup geo_us_states latitude, longitude | stats count by featureId | geom

The output of that search should look something like this:

_featureIdField is a hidden field that works with the geomfilter post-process search command, when you run a search that contains it. It allows geomfilter to know which field contains the featureId values, even when featureId is renamed to something else.

For example, say you rename featureId to state. If you run geomfilter, it consults the stored search results in the search dispatch folder and looks in the _featureIdField column, where it finds the value state. This causes it to seek the featureId values it needs for its calculations in the state column.

For more information about geospatial lookup search queries, see Mapping data in the Dashboards and Visualizations manual.