Splunk Choropleth Maps: A Guided Tutorial [+Video]

Splunk provides many visualizations to represent data. One of the most popular visualizations is the choropleth map which is best suited for location data.

What is a choropleth map?

A choropleth map is a type of map that uses colors, shades, and symbols to display the average values of specific data in a geographic location. Choropleth maps utilize KML or KMZ files, also known as ‘Keyhole Markup Language’ which use latitude and longitude coordinates to map out regions. You can create choropleth maps in Splunk using the choropleth visualization. 

To get started, press play on the video to follow along with the written instructions.

How to Create a Choropleth Map

1. Choose your data.

I’m using a CSV file that I will be uploading to my Splunk instance. The first row in the file contains field names and the rest values.

This is what the CSV of Employee Records looks like when it’s ingested to Splunk:

source="employee_data.csv" 
| eval Name=first_name + " " + last_name
| table Name ip_address state

2. Select the KML file for the choropleth map.

Let’s take a look at the KML file I will be using to create our choropleth map:

| inputlookup geo_us_states

Here we see a correlating field of state, and note the coordinates which define each state’s regions.

3. Select the choropleth visualization.

Next, let’s choose the choropleth visualization. Notice that the count for each state is set to 0, causing all states to display the same highlighted color. You’ll want it this way for now as we head into the next step.

4. Create the query.

Now, let’s dive deeper into the employee CSV data to create our query

source="employee_data.csv" 
| stats count by state

Note that all states now have a count. We will use this data to populate our choropleth map.

5. Correlate the KML file’s featureId field.

In order to populate the data into the choropleth map, we will use the ‘geom’ command to correlate the KML file’s featureId field which included states to the field name of state found within the employee CSV data.

As you can see, each state has a count of the number of employees residing within, as well as the coordinates used to map each state’s boundaries

source="employee_data.csv" 
| stats count by state
| geom geo_us_states featureIdField=state

6. Create custom values.

While Splunk’s default formatting can be great for some datasets, let’s create custom values to use in our key and sort by on the map.

Using case statements, we are able to pass multiple argument and value pairs.

source="employee_data.csv" 
| stats count by state
| eval count = case(count<10, "Less than 10", count>10 AND count<30, "10-30", count>30 AND count<60, "30-60", count>60 AND count<100, "60-100", count>100, "Over 100")
| geom geo_us_states featureIdField=state

7. Reset the null value.

Finally, let’s take care of that null value and set it to something more user friendly

source="employee_data.csv" 
| stats count by state
| eval count = case(count<10, "Less than 10", count>10 AND count<30, "10-30", count>30 AND count<60, "30-60", count>60 AND count<100, "60-100", count>100, "Over 100")
| fillnull value="No Employees"
| geom geo_us_states featureIdField=state

As you can see, we now have a fully populated map visualizing the stats in which employees reside.

If you found this helpful… 

You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.

Cue Atlas Assessment: a customized report to show you where your Splunk environment is excelling and opportunities for improvement. Once you download the app, you’ll get your report in just 30 minutes.

New call-to-action

How to Manage Splunk Apps & Users

how to manage splunk apps and users

It’s not realistic for you or your engineering team to be the only group responsible for the successful deployment of your Splunk environment. Splunk offers several levels of permissions that grant access to the stakeholders you’ll want to add. This way, you don’t have to worry about the power of Splunk getting into inexperienced hands.

In this article, we’ll show you how to manage your Splunk apps and users as well as guide you on the deployment, configuration, and authentication processes. Let’s get started.

New call-to-action

What is a Splunk deployer?

The first step to administering Splunk apps and users is to use the Splunk deployer. According to Splunk, a deployer is a Splunk Enterprise instance that you use to distribute apps and other configuration updates to search head cluster members.

How the Splunk Deployer Works

  1. A Splunk admin executes a command to apply a new or updated configuration bundle, or 

     1a. A search head cluster member joins the cluster

     2. The search head cluster checks with the deployer for available updates

Deploying new or updated apps has its own set of rules and functions a bit differently.

  1. Create an app by going to apps > manage apps > create app 
  2. Copy the app directory
  3. Deploy the configuration bundle with the apply cluster-bundle command

Configuring and Authenticating Splunk Roles and Users

Giving Splunk access to various users in your organization is relatively straightforward. If you have a smaller team of users, you can use the native authentication controls in Splunk, but for larger teams and companies, you’ll find it helpful to use a Security Assertion Markup Language (SAML) or Lightweight Directory Access Protocol (LDAP). We’ll go over each of these methods in this section.

Types of Splunk authentication

Native Splunk Authentication

To access the authentication settings in Splunk, navigate to settings > access controls. From here, you can create a new user and assign their permissions. The most commo permissions you’ll use are:

  • Admin: All permissions are included by default except can_delete which can be added manually.
  • Power: Ability to schedule searches.
  • User: The basic search permissions.

SAML authentication

SAML authentication allows you to use single-sign on (SSO) supported by information from your identity provider (IdP). To configure SAML, navigate to settings > access controls > authentication method and select SAML. From here, you’ll want to work with the person responsible for SAML within your orginzation to retrieve the correct configuration settings.

LDAP authentication

To authenticate users in the Splunk Cloud Platform, you’ll want to use the LDAP scheme. Before entering the settings for LDAP, Splunk recommends that you complete these three steps first:

  1. Create an LDAP strategy
  2. Map LDAP groups to Splunk roles
  3. Specify the connection order of LDAP servers (if you have multiple servers)

Once you have this completed, navigate to settings > access controls > authentication method and choose LDAP. Just like when setting up SAML, you’ll need to work with your LDAP admin for the correct settings and bind DN password.

These are the basics of managing Splunk apps and users. With this knowledge under your belt, you can begin onboarding your team and stakeholders to your Splunk environment.

If you found this helpful… 

You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.

Cue Atlas Assessment: a customized report to show you where your Splunk environment is excelling and opportunities for improvement. Once you download the app, you’ll get your report in just 30 minutes.

New call-to-action