Splunk Cloud

Dashboards and Visualizations with Simple XML

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Tutorial overview

Choropleth maps visualize data aggregated by location.

To create a choropleth map that visualizes a value, you need a geographic feature collection that provides geographic boundaries at the same level of granularity as your data. For example, if you want to map the US population by state, you can use a Splunk search to create a statistics table with a row for the population of each state and use the geo_us_states lookup to render the geometry of states on the map. To map the population by county, you would need to create a more granular table with a row for every US county and a new geospatial lookup that provides boundaries of all US counties. To learn more about geospatial lookups, see Define a geospatial lookup in Splunk Web in the Knowledge Manager Manual.


In this tutorial, you will learn how to do the following:

  • Locate and upload a public data file from the United States Drought Monitor and a geospatial boundary file at the appropriate level of granularity into your Splunk platform instance.
  • Use the lookup file to create a new geospatial lookup in addition to the geo_us_states and geo_countries lookups that are included with Splunk software.
  • Generate a choropleth map that demonstrates the severity of drought conditions by California county in 2018.

Your finished choropleth map will look like the following image:
Screenshot of finished choropleth map of California drought severity in 2018


Make sure that you have a running Splunk platform instance. See the following links for information:


  1. Locate and download USDM data
  2. Upload and configure your data
  3. Download a California counties shapefile
  4. Create a new geospatial lookup
  5. Generate a choropleth map
  6. (Optional) Use Trellis view to visualize multiple aggregate functions
Last modified on 18 June, 2020
Cluster maps
Locate and download USDM data

This documentation applies to the following versions of Splunk Cloud: 7.0.13, 8.1.2103, 8.1.2008, 8.1.2011, 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 8.0.2006, 8.0.2007, 8.1.2009, 8.1.2012 (latest FedRAMP release), 8.1.2101

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters