Skip to main content

This is an updated version of Part 1 updated with feedback provided by this Reddit post.

FIrst of all- I will include a working example in this post, assuming you utilize the Maps+ Plugin. If you do not leverage this plugin- I strongly recommend you take a look. It is actively developed by one of Splunk’s employees, and is loaded with useful features.

Step 1. Create “Sample” data. If you intend on using this with your data, you may leave this step out.

| makeresults count=100 

Step 2. Calculate a “Percent” column.

| eventstats count as total 
| streamstats count as pos 
| eval pct = ROUND(pos/total*100,0) 

Step 3. Generate a dummy latitude and longitude based on the data. I just need to demonstrate a straight line…. If you are using your own data, leave this step out.

| eval latitude=pct * 0.10, longitude=0 

Step 4. Generate the “Color Curve”. This implementation starts at green, and ends with red. If you want to change the colors, tweak this line.

| eval C_r=IF(pct<50, 255, 510-5.10*pct), C_g=IF(pct<50, 5.1*pct, 255), C_b=0 

Step 5. Here is the condensed version of my original method, using foreach, instead of one eval per color channel.

| foreach C_* 
    [| eval <<FIELD>>= REPLACE(tostring(ROUND(<<FIELD>>, 0),"hex"), "0x", "") 
    | eval <<FIELD>>=substr("00", 0, max(2-len(<<FIELD>>), 0)).<<FIELD>>] 

Step 6. Generate a hex color code.

| eval circleColor="#".C_r.C_g.C_b

Step 7. Formatting. I am piping everything to a table out. markerType=”Circle” changes how the icons are formatted.

| eval markerType="circle" 
| table pct latitude longitude circleColor markerType

Here is the finished product:

Here is the full query I used for this example.

| makeresults count=100 
| eventstats count as total 
| streamstats count as pos 
| eval pct = ROUND(pos/total*100,0) 
| eval latitude=pct * 0.10, longitude=0 
| eval C_r=IF(pct<50, 255, 510-5.10*pct), C_g=IF(pct<50, 5.1*pct, 255), C_b=0 
| foreach C_* 
    [| eval <<FIELD>>= REPLACE(tostring(ROUND(<<FIELD>>, 0),"hex"), "0x", "") 
    | eval <<FIELD>>=substr("00", 0, max(2-len(<<FIELD>>), 0)).<<FIELD>>] 
| eval circleColor="#".C_r.C_g.C_b
| eval markerType="circle" 
| table pct latitude longitude circleColor markerType