Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Use geostats to mark multiple points on the map and separate them

ShiORi
New Member
‎11-15-2017 01:31 PM

Hi! I have a question that I want to mark multiple points on the map.
But it seems because the distance is too close, it merged into one point.
This is my code:

|inputlookup macAddr_lat  
|append [search source="udp:5567" 000000000d0100b4 OR 000000000d0100ce OR 000000000d0100c1 OR 000000000d0100c8 
|rex field=data "fc000105(?<ParkData>\d{2})" 
|eval ParkStatus=case(ParkData=="02","Not yet learn",ParkData=="22","Had Learn",ParkData=="20","No Car Parking",ParkData=="21","Parking",ParkData=="23","Keep Parking",ParkData=="60","No Car Parking",ParkData=="61","Parking",ParkData=="62","Keep Correcttio",ParkData=="63","Had Correcttion")
|eval secondsAgoStr=tonumber(now() - _time) 
|table macAddr data ParkData ParkStatus  _time time secondsAgoStr rssi snr ] |table macAddr data ParkData ParkStatus  _time time secondsAgoStr rssi snr latitude longtitude |selfjoin macAddr |dedup macAddr
|search ParkData=*
|eval redCount=if(ParkData=21 OR ParkData=23 OR ParkData=61,"Parking",NULL())
|eval greenCount = if (ParkData=20 OR ParkData=22 OR ParkData=60 OR ParkData=62,"No Car Parking",NULL())
|eventstats sum(duration) AS Today_Parking_TotalTime 
|eval percentage=round(duration/Today_Parking_TotalTime*100 ,2) |eval percentage=tostring(percentage+"%") | addcoltotals labelfield=Today_Parking_TotalTime label=Today_Parking_TotalTime 
|fields - _raw ,- closed_txn ,- field_match_sum , - linecount ,- Today_Parking_TotalTime 
 | geostats latfield=latitude longfield=longtitude count(redCount) as "Parking" count(greenCount) as "NoCarParking"

And the point what I click is:
alt text
How do I separate them on the map?

Preview file
1 KB
0 Karma
Reply

apilger_splunk
Splunk Employee
Splunk Employee
‎01-15-2018 10:13 AM

Hi ShiORi,

The geostats command has two parameter to adjust the granularity for positioning point on the map: binspanlong and binspanlat
You may use smaller values that default eg.:
| geostats latfield=latitude binspanlong=10 binspanlat=5 longfield=longtitude count(redCount) as "Parking" count(greenCount) as "NoCarParking"

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...