Dashboard Digest Series – Episode 5: Maps!

splunk_maps“A map does not just chart, it unlocks and formulates meaning; it forms bridges between here and there, between disparate ideas that we did not know were previously connected.” ― Reif Larsen, The Selected Works of T.S. Spivet

Welcome to Episode 5 of the Dashboard Digest series!

Maps play a critical role in visualizing machine data in almost any industry for thousands of use cases.  We’ve been continuously adding more mapping functionality to Splunk and with the recent addition of Custom Visualizations in Splunk 6.4 you (the community) have too!  This is exciting news as I’ve noticed many times the first panel on a dashboard that draws attention is a map.  The best part is that each of these displays is either native functionality or plug n’ play for Splunk making it easier than ever to visualize your geographic machine data in real-time.

In this post I’ll briefly go over some of the options for visualizing geographic data today and how to use them.  Enjoy!

Purpose: Display the different options for mapping geographic data in Splunk.
Splunk Version: Splunk 6.0 (added native pie chart map), Splunk 6.3 (added choropleths), Splunk 6.4 (added custom visualizations)
Data Sources: N/A.
Apps: Shapester, Geo Heatmap, Custom Cluster Map, Clustered Single Value Map, Location Tracker

In this post I’ll cover the following:

  1. Native Pie Chart
  2. Custom Cluster
  3. Custom Clustered Single Value
  4. Native Choropleths
  5. Custom Choropleths
  6. Geo Heatmap
  7. Location Tracker

1. Native Pie Chart

While being the first map type used in Splunk’s native maps, the pie chart can quickly tell a powerful story.  Using the geostats command, you can calculate statistics (just like the stats command) and plot the results using latitude/longitude coordinates.  The larger the statistic, the larger the pie chart.  And even better you can split by another field for additional context (see example below).

Example Syntax #1:  … | geostats sum(price) by action

*Note: If your latitude and longitude fields are named something other than latitude and longitude such as “lat” and “lon” you will need to add the following arguments to your search.

Example Syntax #2:  … | geostats latfield=your_latitude_field longfield=your_longitude_field count by threat

piechart1

2. Custom Cluster

The Custom Cluster Map is another way of representing quantities or values of a specific field.  This particular custom visualization is a remake of the Google Maps add-on back in Splunk 5.0.  You can change colors, clustering density and other options.  It’s a simple and effective way to determine abnormal values geographically.

Example Syntax #1:  … | geostats count
Example Syntax #2:  … | geostats latfield=your_latitude_field longfield=your_longitude_field avg(speed)

custom_clusters

3. Custom Clustered Single Value

The Custom Clustered Single Value visualization is one of my new favorites and contains a set of extremely powerful configuration options including the ability to add description popups with HTML support, color and style markers, add icons, disable clustering and plot nothing but single values. All of this can update dynamically in real-time!  There are tons of configuration options that you can learn about from the app page.

Example Syntax #1:  … | table latitude, longitude, title, description | eval icon=if(match(title,"SHIP\d+"),"ship","circle") | eval markerColor=if(match(title,"SHIP\d+"),"green","blue")
Example Syntax #2:  index=chicago_crime | eval description = "<b>".your_description_field."</b>" | table latitude, longitude, description

clustered_single_value

4. Native Choropleths

Splunk 6.3 brought us a great addition in Choropleth Maps. These use shading to show relative metrics, such as population or election results, for predefined geographic regions.  Out of the box Splunk supports the 50 states in the USA and countries around the world. Different color modes (Sequential, Divergent and Categorical) can be selected as well as customizable bin ranges to enhance granularity. The geom command is responsible for building the geographic boundaries and applying metrics/shading to them.

Example Syntax #1:  … | stats sum(acceleration) as accel by state | geom geo_us_states featureIdField=state
Example Syntax #2:  | inputlookup geo_attr_countries | fields country, region_un | geom geo_countries featureIdField=country

shake_choropleth

5. Custom Choropleths

Custom Choropleth Maps allow the use of custom polygons created from .kmz files or drawn from the Shapester app!  This capability really expands the use cases for choropleths and I highly recommend you try it out whether you create your own or use a pre-made .kmz file.  Just think – creating real-time alerts using your own custom built geo-fences all without having to write any code.

Example Syntax #1:  … | stats latest(Av_Level) by Zone | geom geo_avalanche_zones featureIdField=Zone

6. Geo Heatmap

The Geo Heatmap represents quantities or values of fields in a well… heatmap fashion!  The settings are configureable to change colors, transparency and map background.  Additionally there is an option to play back data over time.

Example Syntax #1: index=noaa | stats max(wind_speed) by latitude longitude
Example Syntax #2 (For Time Playback): index=noaa | timechart span=1h latest(latitude) as latitude latest(longitude) as longitude max(wind_speed) as value by title

heatmap

7. Location Tracker

The Location Tracker is one of my favorites due to its ability to not only show where an object(or multiple!) currently is but trace out its path over time.  Trying to get the native Splunk Pie Chart Map to do the same thing was never a fun task whereas  now it’s easy as pie.  Pun intended!  You can use stats to aggregate statistics but really you can just use 4 fields in a a table.  See example syntax below:

Example Syntax #1: ... | table _time latitude longitude
Example Syntax #2 (multiple objects): ... | table _time latitude longitude vehicle_type

It’s as simple as that!

location_tracker

 

Maps are an incredible way to display information.  I’m hoping this summarization of mapping capabilities gives you some ideas on the art of possible for mapping out geographic machine data in real-time!

That’s it for now .. Happy New Year and Happy Splunking!

Stephen

Related reads:

Dashboard Digest – Episode 1
Dashboard Digest – Episode 2 – Waves
Dashboard Digest – Episode 2 Part Deux – Hurricane Matthew
Dashboard Digest – Episode 3 – Splunk HQ Water and Energy
Dashboard Digest – Episode 4 – NFL Predictions

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*