Scribd
Upload
175 views

Splunk Lab - Creating Maps

The document provides instructions for creating maps lab exercises in Splunk. It includes an overview and introduces two lab exercises - the first involves creating a cluster map of user logins by location, and the second involves creating a choropleth map to display retail sales in Canada by province. Key steps include setting up the lab environment, performing searches to analyze data, using commands like iplocation and geostats to include geographic context, creating a geospatial lookup of Canadian provinces, and building dashboards with the map visualizations.

Uploaded by

alphabitic Razandrimanjaka
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
175 views

Splunk Lab - Creating Maps

The document provides instructions for creating maps lab exercises in Splunk. It includes an overview and introduces two lab exercises - the first involves creating a cluster map of user logins by location, and the second involves creating a choropleth map to display retail sales in Canada by province. Key steps include setting up the lab environment, performing searches to analyze data, using commands like iplocation and geostats to include geographic context, creating a geospatial lookup of Canadian provinces, and building dashboards with the map visualizations.

Uploaded by

alphabitic Razandrimanjaka
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

Creating Maps Lab Exercises

Overview
Welcome to the Splunk Education lab environment. These exercises will guide you through the
process of creating a set of dashboards with cluster and choropleth map visualizations. You will
also customize a marker map and make it interactive. Perform all searches and create all
dashboards in the Creating Maps course app.

IMPORTANT: If you copy text from this document, please note that character formatting and artifacts
created by the PDF generation process can cause errors in the dashboard source
code. Consider using a text editor as an interim step.

Typographical Conventions
• Blue text indicates add text
• Red text indicates remove text
• Grey text provides placement information

Lab Connection Info


Access labs using the server URL, user name, and password shown in your lab environment.

Source Types
Source types used in these exercises are referred to by the type of data they represent.
Type Index Source Type Interesting Fields
Server access data security linux_secure action, app, dest, process, src_ip,
src_port, user, vendor_action
Retail sales sales vendor_sales AcctID, categoryId, price,
product_name, productId, sale_price,
Vendor, VendorCity, VendorCountry,
VendorID, VendorLatitude,
VendorLongitude, VendorStateProvince

© 2022 Splunk Inc. All rights reserved. Creating Maps January 26, 2022 1
Lab Exercise 1 – Create a Cluster Map
Description
Create a dashboard with a time range input and two visualizations – a line chart and cluster
map. Perform all searches and save the dashboard in the Creating Maps app.

Scenario: The security team wants a dashboard with a map that displays user logins globally. They
supplied a wireframe to use as a guide. The dashboard includes the following:
- Time range input
- Line chart displaying all logins
- Map of logins by location

Wireframe:

© 2022 Splunk Inc. All rights reserved. Creating Maps January 26, 2022 2
Steps
Task 1: Change the account name and time zone.
Set up your lab environment to fit your time zone and the app you will
be working in.
1. Navigate to User Menu > Account Settings.
2. In the Full name box, enter your name: <Firstname Lastname>
For example: Mitch Fleischman
3. Click Save.
4. Navigate to User Menu > Preferences.
5. Enter the following settings:
• Time zone: <your local time zone>
• Default application: Creating Maps
6. Click Apply.
7. Navigate to Apps > Creating Maps.

TIP: Since your default application is now Creating Maps, clicking the Splunk logo in the upper left is
the same as navigating to Apps > Creating Maps.

Task 2: Create a new dashboard.


8. Click Dashboards
9. Click Create New Dashboard.
10. Save the visualization as a panel on a New Dashboard.
• Dashboard Title: Lab1
• Permissions: Private
• How do you want to build your dashboard? Classic Dashboards

11. Click Create.

© 2022 Splunk Inc. All rights reserved. Creating Maps January 26, 2022 3
Task 3: Add a time input.
12. Click +Add Input and select Time.
13. Click the pencil icon on the input.
14. Use the following settings:
General
• Label: leave blank
• Search on Change:

Token Options
• Token: timeTok
• Default: Last 7 days
15. Click Apply.

Task 4: Add a prebuilt panel.

16. Click +Add Panel.


17. Select Add Prebuilt Panel > All Logins.
18. Click Add to Dashboard and close the side panel.
19. Save the dashboard and reload your browser.

Example:

Task 5: Add a map of user login locations.

20. Click Edit.


21. Click +Add Panel.
22. Select New > Cluster Map.
23. In the side panel, select Shared Time Picker (timeTok) from the Time Range drop-down menu.
24. In the Content Title box, enter: Global Logins

© 2022 Splunk Inc. All rights reserved. Creating Maps January 26, 2022 4
25. Enter a stem search for all password events over the last 7 days.
index=security sourcetype=linux_secure src_ip="*" action=*
26. Pipe to the iplocation command to extract location information from IP addresses.
index=security sourcetype=linux_secure src_ip="*" action="*"
| iplocation src_ip

27. Pipe to the geostats command to generate statistics based on ip location.


The latfield matches to lat and longfield to lon by default (lat and lon fields are generated
by iplocation). Then, count events by action.
index=security sourcetype=linux_secure src_ip="*" action="*"
| iplocation src_ip
| geostats count by action

39. Click Add to Dashboard and close the side panel.


40. Save the dashboard and reload your browser.

Example:

© 2022 Splunk Inc. All rights reserved. Creating Maps January 26, 2022 5
Lab Exercise 2 – Create a Choropleth Map
Description
Create a geospatial lookup and use it to generate a choropleth map. Perform all searches and create all
knowledge objects in the Creating Maps course app. An optional challenge lab exercise is to create a
choropleth map using Dashboard Studio.

Scenario: The sales services team wants a dashboard with a map that displays retail sales in Canada
by province. They have supplied a wireframe they to use as a guide. The dashboard
includes the following:
- Time range input
- Geospatial lookup
- Map of Canada

Wireframe:

© 2022 Splunk Inc. All rights reserved. Creating Maps January 26, 2022 6
Steps
Task 1: Create a geospatial lookup.

1. Navigate to Settings > Lookups.


2. Click +Add new next to Lookup table files.

3. Set the Destination app to creatingMaps.


4. Click Browse.
5. Locate the canada.kml file available from the Download link in your lab environment and click Open.

NOTE: The Download link goes to a zip file, splunk_course_files.zip, which contains the canada.kml
file. Double-click the splunk_course_files.zip file to make its files available for upload.

6. In the Destination filename box, enter: canada.kml


7. Click Save.

NOTE: Depending on your network speed, uploading the file may take a few minutes.

8. Click Lookups in the upper left corner.

9. On the Lookups page, click + Add new next to Lookup definitions.

10. Set the Destination app to creatingMaps.


11. In the Name box, enter: canada
12. Set the Type to Geospatial.
13. Set the Lookup file to canada.kml.
14. Click Save.

© 2022 Splunk Inc. All rights reserved. Creating Maps January 26, 2022 7
Task 2: Test the lookup.
15. Click Search.
16. Use the inputlookup command to search the content of the lookup.
| inputlookup canada
Example:

Task 3: Find all retail sales in Canada by Province.


17. Search retail sales over the last 7 days and limit results to Canada.
index=sales sourcetype=vendor_sales VendorCountry=Canada
18. Use the stats command, to create a table showing the total retail sales for each province in Canada.
index=sales sourcetype=vendor_sales VendorCountry=Canada
| stats sum(price) by VendorStateProvince
19. Edit the stats command so that the total sales column is renamed USDollars.
index=sales sourcetype=vendor_sales VendorCountry=Canada
| stats sum(price) as USDollars by VendorStateProvince
20. Create a new field called CDNDollars whose values are USDollars multiplied by the US Dollar
to Canadian Dollar conversion rate of 1.31. Round to two decimal places.
index=sales sourcetype=vendor_sales VendorCountry=Canada
| stats sum(price) as USDollars by VendorStateProvince
| eval CDNDollars = round(USDollars*1.31,2)
21. Remove USDollars from the results.
index=sales sourcetype=vendor_sales VendorCountry=Canada
| stats sum(price) as USDollars by VendorStateProvince
| eval CDNDollars = round(USDollars*1.31,2)
| fields - USDollars

Example:

© 2022 Splunk Inc. All rights reserved. Creating Maps January 26, 2022 8
22. Use the geom command to map VendorStateProvince to the canada lookup file.
index=sales sourcetype=vendor_sales VendorCountry=Canada
| stats sum(price) as USDollars by VendorStateProvince
| eval CDNDollars = round(USDollars*1.31,2)
| fields - USDollars
| geom canada featureIdField=VendorStateProvince

Example:

23. Click the Visualization tab and select Choropleth Map.


24. Click the Format tab and enter these settings:
General
• Set Latitude to: 53
• Set Longitude to: -92
• Set Zoom to: 4

Colors
• Set Color Mode to Sequential.
• Set Maximum Color to: 006D9C
• Set Number of Bins to: 7

© 2022 Splunk Inc. All rights reserved. Creating Maps January 26, 2022 9
Task 4: Create a dashboard.
25. Save the visualization to a New Dashboard.
• Dashboard Title: Lab2
• Permissions: Private
• How do you want to build your dashboard? Classic Dashboards
• Panel Title: Sales by Province

26. Click Save to Dashboard.


27. Click View Dashboard.

Task 5: Add a time input.


28. Click Edit.
29. Click + Add Input and select Time.
30. Click the pencil icon on the input.
31. Use the following settings:
General
• Label: leave blank
• Search on Change:

Token Options
• Token: timeTok
• Default: Last 7 days
32. Click Apply.

© 2022 Splunk Inc. All rights reserved. Creating Maps January 26, 2022 10
Task 6: Set the map panel to use the time picker.
33. On the Sales by Province panel, click the Edit Search icon.
34. In the Time Range drop-down menu, select Shared Time Picker (timeTok).

35. Click Apply.


36. Save the dashboard and reload your browser.

Example:

© 2022 Splunk Inc. All rights reserved. Creating Maps January 26, 2022 11
Challenge Lab Exercise - Optional
Scenario: The sales team likes the dashboard, but they want it to use a custom SVG for the map of
Canada. They supplied a wireframe to use as a guide. The dashboard includes the following:
- Map of Canada

Wireframe:

Task 1: Create a dashboard.


1. Click Dashboards.
2. Click Create New Dashboard.
3. In the Create New Dashboard’s Dashboard Title box enter: Challenge
4. Set Permissions to Private.
5. Click Dashboard Studio.
6. Click Absolute Layout.
7. Click Create.
8. On the Configuration side panel, set the Display Mode
to Actual Size.
9. Select the time range input.
10. Revise the title to: Select a time:
11. Set the Default Value to: Last 7 days.
12. Click Save to save the dashboard.

© 2022 Splunk Inc. All rights reserved. Creating Maps January 26, 2022 12
Task 2: Add a Choropleth SVG.
13. Click the +Add Chart icon.
14. Select ChoroplethSVG.

15. In the Data Source Name box, enter: Sales by Province


16. On the New Data Source side panel, in the Search with SPL box, enter:
index=sales sourcetype=vendor_sales VendorCountry=Canada
| stats sum(price) as USDollars by VendorStateProvince
| eval CDNDollars = round(USDollars*1.31,2)
| fields - USDollars

17. Click Run & Save.


18. On the Configuration side panel, in the Title box enter: Sales by Province
19. Locate the Position & Size section make sure the X position and Y position are set to: 0
20. Set the choropleth visualization width to 800 and height to 350.

NOTE: In the current release, set the dimensions of a choropleth SVG visualization before importing
the SVG file. Setting the dimensions after importing the file will not change the image size.

21. Locate the SVG Data section.


22. Click browse...
23. Locate the canada.svg file (available from the Download link) and click Open.

Task 3: Set dynamic color ranges.


24. In the Configuration side panel, locate the Path ID Field Formatting section.
25. Make sure the SVG Path ID Field is set to: VendorStateProvince (string).
26. Make sure Value Field is set to: CDNDollars (number).
27. Click the Coloring palette button.
The palette window opens to show color ranges.
28. Set the color ranges as follows:
1000 and greater
500 to 1000
250 to 500
100 to 250
29. Click anywhere outside the palette window to close it.
30. Close the side panel.
31. Save the dashboard and reload your browser.

© 2022 Splunk Inc. All rights reserved. Creating Maps January 26, 2022 13
Example:

© 2022 Splunk Inc. All rights reserved. Creating Maps January 26, 2022 14
Lab Exercise 3 – Customize Maps
Description
Create a cluster map and customize its marker colors. Add a drilldown that captures the latitude
and longitude from a user click in a token. Then, use the token to customize a search.

Scenario: The sales team wants a global map of vendors that shows regions with strong, moderate
and weak sales. The dashboard should have a table below the map to display more
information for a marker that is clicked on. The dashboard includes the following:
- Time range input
- World map of retail sales
- Table listing vendors

Wireframe:

© 2022 Splunk Inc. All rights reserved. Creating Maps January 26, 2022 15
Task 1: Create a dashboard.
1. Click Dashboards.
2. Click Create New Dashboard and use the following settings:
• Dashboard Title: Lab3
• Permissions: Private
• Classic Dashboards
3. Click Create.

Task 2: Add a time input.


4. Click +Add Input and select Time.
5. Click the pencil icon on the time range input and use the following settings:
Token Options
• Label: leave blank
• Search on Change: Select this option
• Token: timeTok
• Default: Last 7 Days
6. Click Apply.

Task 3: Add a cluster map.


7. Click +Add Panel.
8. Select New > Cluster Map.
9. Select Shared Time Picker (timeTok) from the Time Range dropdown menu.
10. In the Content Title box, enter: Retail Sales
11. In the Search String box enter:
index=sales sourcetype=vendor_sales product_name="*" VendorLatitude="*"
VendorLongitude="*"
| geostats latfield=VendorLatitude longfield=VendorLongitude sum(price) as Sales
| eval Strong = if((Sales >= 1000 ), Sales, 0)
| eval Moderate = if((Sales >= 400 AND Sales <1000), Sales, 0)
| eval Weak = if((Sales <400), Sales, 0)
| fields - Sales

NOTE: Notice this search creates three fields, Strong, Moderate and Weak for ranges of sales.
These will be used to color the markers on the map.

12. Click Add to Dashboard and close the side panel.

© 2022 Splunk Inc. All rights reserved. Creating Maps January 26, 2022 16
Task 4: Use custom map tiles.
13. Click the Format icon on the Retail Sales panel.
14. Select Tiles.
15. In the populate from preset configuration dropdown
select Open Street Map.

NOTE: Notice this automatically populates


the Max Zoom with 19 levels.

16. Close the Format window.


17. Save the dashboard and reload your browser.

Example:

© 2022 Splunk Inc. All rights reserved. Creating Maps January 26, 2022 17
Task 5: Add a drilldown.
20. Click Edit.
21. On the map panel, click the More Options button and select Edit Drilldown.
22. Select Manage tokens on this dashboard from the On Click drop-down menu.
23. Click in the Token name box and enter: bounds.north
24. Click in the Token value box and enter: $click.bounds.north$
25. Click + Add New three times and enter the following settings:
Set: bounds.south = $click.bounds.south$
Set: bounds.east = $click.bounds.east$
Set: bounds.west = $click.bounds.west$
26. Click Apply.

Task 6: Add a table.


27. Click +Add Panel > New > Statistics Table.
28. In the Time Range drop-down menu select Shared Time Picker (timeTok).
29. In the search box enter:
index=sales sourcetype=vendor_sales product_name="*"
| search VendorLatitude >= $bounds.south$ VendorLatitude < $bounds.north$
VendorLongitude >= $bounds.west$ VendorLongitude < $bounds.east$
| stats sparkline(sum(price),24h) as "Sales Trend (last 24hrs)", sum(price) AS
Sold by product_name, Vendor, VendorCity
| rename product_name as Product
30. Click Add to Dashboard and close the side panel.
31. Save the dashboard and reload your browser.
32. Click a marker on the map.
Notice the table populates with data based on the latitude and longitude of the marker you clicked.
Troubleshooting: If the drilldown is not working, make sure the token name and value entered in the
drilldown window do not have a typographical error; then, reload your browser.
Setting tokens when the dashboard loads makes values available to the table immediately. The next
task shows how this is done.

Task 7: Add default token settings.


33. Click Edit.
34. Locate Autorun dashboard on the upper-right and check the box beside it.
35. Click Source.
36. At the top of the source code, just after the <form> element, add an <init> element.
<form>
<init></init>
...

© 2022 Splunk Inc. All rights reserved. Creating Maps January 26, 2022 18
37. Between the opening and closing <init> elements, set default values for the map tokens.
<form>
<init>
<set token="bounds.north">37*</set>
<set token="bounds.east">37*</set>
<set token="bounds.south">-123*</set>
<set token="bounds.west">-122*</set>
</init>
...
38. Click Save and reload your browser.
Notice the table populated immediately after reloading the browser.

Task 8: Test the dashboard.

39. Mouse over the clusters. Notice green, blue and orange show Strong, Moderate, and Weak in the
rollover. These are created by the eval command in the search
40. Click a marker. Notice the table updates.
41. Zoom in on the map. Notice more markers appear.
42. Change the time range. Notice the map resets to the default zoom level.

Example:

© 2022 Splunk Inc. All rights reserved. Creating Maps January 26, 2022 19

You might also like