I noticed that our splunk installs have a $SPLUNK_HOME/share/splunk/mbtiles/splunk-tiles.mbtiles file.
This makes me suspect that the webserver bundled in with Splunk has the ability to serve tiles. Has anyone seen this, or have any hints as to if this can be used for mbtiles that we create ourselves?
↧
Splunk has built-in mbtiles server. Can this be used for mbtiles that we create ourselves?
↧
How to display extracted data on a map using Splunk's geo-mapping feature?
Hey quick question,
I currently have extracted from my data a list of states (USA) and counts for each state. (ie AZ - 32, CA - 94, CO - 12, etc)
Is there any way to display this information using Splunk's geo-mapping feature?
Ideally I want to get something that looks like this:
Thanks for the help!
↧
↧
Possible to place a graphic on a map in real-time every time an event occurs?
I would like to use a map to pop a graphic up on a map for each time an event occurs in real-time.
I have use iplookup for other dashboards, but this will have to rely on a lookup table of locations corresponding zip codes. Rather than a heat map of event counts clustered, I would just like to pop up an image over each location for x seconds, or display images for the last x # of events.
I already have the real-time search that generates a table of the last 25 events with the field I need to cross-reference... outputting to a table with the latitude and longitude to populate the image. I just need to figure out how to pop the image on a map.
↧
複数のIPアドレスを持つレコードから任意のIPアドレスを抽出して位置情報に変換する方法について
お世話様になります。
タイトルにもありますが、複数のIPアドレスを持つレコードから任意のIPアドレスを抽出して位置情報に変換する方法について教えてください。
対象レコード(例)
Jan 31 13:42:43 192.168.xx.xx [AA:AA:AA:AA:AA:AA] Gatekeeper : FIREWALL: TCP connection denied from 192.168.yy.yy:64085 to 54.68.zz.zz:80
これに対して以下の名称でフィールドを追加
srcIP = 192.168.yy.yy
dstIP = 54.68.zz.zz
dstIPは統計で100個以上のアドレスを検出しています。
このdstIPを位置情報に変換してGoogleMap等に表示しようと考えています。
サーチ分①
sourcetype=syslog dstIP="*" | geoip
結果①
geoipは、192.168.xx.xxとなり表示されない。
サーチ分②:余計なフィールドを消せばいいのか?と考え
sourcetype=syslog dstIP="*" | fields - host , source ,splunk_server | geoip
結果②
geoipは、192.168.xx.xxとなり表示されない。
サーチ分③geoipにフィールドを渡せばいいか?と考え
sourcetype=syslog dstIP="*" | geoip dstIP
結果③
サーチの結果では統計情報として位置情報(geo_cityなど)が出るようになったが
GoogleMAPSでは表示されない
チュートリアル用のsecure.logでは、source="secure.log" Failed | geoip で何も問題なく動作しているので
データの渡し方に問題があると認識していますが、分かりません。
geostatsでも構いませんが、対応方法をご教授頂きたく存じます。
↧
HERE maps: how to update the table based on the part of the map I zoom into?
Hi All,
I have used the HERE maps app to create dashboard. I want to know how to update the table based on the part of the map I zoom into.
Please let me know if we have an option to perform this?
Thanks
Sathish R
↧
↧
How to search concurrent logins from geographically distinct locations during the same time period?
I want to find when a login is used from a significantly distinct location during the same time period. We are able to get latitude and longitude information just fine, but I'm having a hard time constructing the search string that would bring back the same login being used say in Chicago and LA. I searched the knowledge base without any luck.
Sample data below:
2015-03-02 12:40:30.403-0500
Context_ID=BFB0BA8D-627B-4EA0-983E-962F8D5E2B88
Login_Date=1425318030.403
Application_Name=app_name
User_ID=nnnnn
User_Name=uid1
User_Group_ID=group_name1
Group_Name=xxxxxx
Group_Tag_ID=nnnnnnnn
Group_Type=Recipient
IPAddress=xx.xx.xx.xx
Latitude=42.90960000000001
Longitude=-78.8291
City=Buffalo
State=NY
Country=United States
PostalCode=
AreaCode=716
2015-03-02 12:40:28.903-0500
Context_ID=DD5DF112-2194-4F1C-AACF-364856CCBEDF
Login_Date=1425318028.903
Application_Name=app_name
User_ID=nnnnn
User_Name=uid2
User_Group_ID=group_name2
Group_Name=group_name2
Group_Tag_ID=nnnnnnnnnnn
Group_Type=Recipient
IPAddress=208.xx.xx.xx
Latitude=42.37219999999999
Longitude=-71.1787
City=Watertown
State=MA
Country=United States
PostalCode=02472
AreaCode=617
2015-03-02 12:40:28.357-0500
Context_ID=377AB0CF-0D24-4BDD-91BC-03DCF232ABA1
Login_Date=1425318028.357
Application_Name=app_name
User_ID=nnnnnnnn
User_Name=uid3
User_Group_ID=nnnnnn
Group_Name=group_name3
Group_Tag_ID=nnnnnnnn
Group_Type=Recipient
IPAddress=xx.xx.xx.xx
Latitude=34.03309999999999
Longitude=-84.6011
City=Kennesaw
State=GA
Country=United States
PostalCode=30144
AreaCode=770
↧
Best way to import geolocations info and use it in maps?
I'm curious whether there is a preferred way of getting the geolocation data in and using it in the searches. We are talking about a company which has many (several dozen) different branches all over the country. The list of those branches will change every now and then, but it will be a rare event.
Right now, just for the sake of getting something working, I created a CSV file of branches containing their longitude and latitude, imported it once and created a couple of maps with underlying searches joining the resulting list of "events" on the location ID before going into 'geostats' command. However, I have a feeling that JOIN is a cumbersome way of doing it. Is there anything better suited for the task?
↧
How do I create a report that lists all servers and devices reporting to Splunk broken out by country?
We need to create a report that lists all devices and servers reporting into Splunk. We want to have the report broken out by country. We don't have an internal cross-reference to identify servers to countries. I was using this search based on other Answer questions.
index=_internal source="/opt/splunk/var/log/splunk/metrics.log*" sourcetype="splunkd" fwdType="*" | dedup sourceHost|stats count by hostname, sourceHost, fwdType, guid, os, arch
I tried to plug in the geoip/iplocation searches to see if we could obtain the location of our servers. I wasn't able to get results.
Please advise if you have suggestions.
Thanks!
Jenn
↧
How to get geo location of IP's while generating a report?
↧
↧
What is the recommended way to get more detailed and accurate geoip information in Splunk?
We are finding that the data provided for iplocation in Splunk is not as detailed as we would like, nor is it completely accurate. I understand this is a moving target and nothing will be perfect but is there a more accurate way to get iplocation? Both the Maxmind and Google apps don't appear supported after version 5? Any recommendations here would be appreciated.
Thanks,
-Bob
↧
How to enable iplocation
How do I "enable" iplocation in Splunk Ent. 6.2.2. I thought it might be just an automatic function now that the database is default. When I try searches using "iplocation" context it brings up nothing. Any help would be greatly appreciated as I can find details on this anywhere.
Note, I have a cluster environment with two peers and another server acting as the master/search head. Thanks in advance.
↧
Search on Lat/ Lon within a specific radius
Hi Everyone,
I'm seeking an answer on how to do a search within Splunk that notified you when something/someone is entering a particular Lat/Lon within a specific radius. Is basically Geofencing
We have a device that is sending Lat/ Lon every 30s and manually we added specific Lat / Lon & radius.
Right now, we are not too sure on how to do the search that tell Splunk that a particular Device has entered the specific area.
Appreciate any help on this
↧
How can I geo map out email activity from index=msexchange?
Newbie here with Splunk searching and regex...
I've been tasked to geo map out email activity across the company based on user locations along with the top communicators. They already have data in Splunk (index=msexchange). If anyone has done this or knows how I can map this data out (from index=msexchange), that would be great!
Addt'l possibly Interesting fields:
sender
recipients
original_client_ip
recipient_count
Thanks for any help!
↧
↧
Index name alias; IP address-geolocation recognition
Is it possible in Splunk Enterprise to alias index name (for purposes of another application that must use a set name that will serve as index name)?
Is it possible to extend (either at index or search time) events by geolocation? Considering long enough period where a single address can correspond to multiple locations (and vice versa), what geolocation format (perhaps a lookup table?) would be best suited?
↧
Is it possible to extend events by IP address geolocation recognition?
Is it possible to extend (either at index or search-time) events by geolocation - considering a long enough period where a single address can correspond to multiple locations (and vice versa), as well as keeping old locations despite updating geolocation db?
↧
How to plot United Kingdom (UK) postcodes on Google Maps?
I have a search which returns a number of UK postcodes and for which I would like to plot on a Google maps panel on my dashboard. I have seen a lot of discussions around plotting longitude and latitude coordinates but not postcodes directly, is this possible within SPLUNK?
I have also looked at mapping the postcodes returned to a UK postcode to longitude/latitude lookup but find that a lot of postcode entries are missing.
Any help or a steer in the right direction would be greatly appreciated.
↧
How to set up an alert to detect login abuse and credential leaks using geographical and timing data?
Hello,
I'm a SPLUNK beginner and I would need some help finding a way to achieve my goal.
I gather various login events: user login on the SSO web portal, POP/IMAP access, SSH login, etc. Each kind of event comes from a different source, but for every one I get a timestamp, a user login, and an IP address.
I would like to be able to detect when:
- the same user login is used from two (or more) locations,
- far from each other (say 500km),
- in a given time window (say 5 hours).
I've found similar interests in calculation of distance between events here on splunk>answers, but none goes as far as what I need. The calculation itself is only one aspect. I'm confident SPLUNK can handle this, but I'm not sure about the bigger picture. I have no idea how to proceed to create a dynamic time window for each successful user login, for example.
Ultimately I need the process to act as a real-time trigger for security alert.
I'm pretty sure it's very complex, and I don't expect a all-in-one solution. Any help is greatly appreciated.
↧
↧
Google Maps: Is there a feature to plot all users that fall within a circle on the map?
Hi,
I currently need to develop a report which plots all users within a custom circle on Splunk maps.
The user will put in a custom lat, lon and radius to create the circle. How can I make this a limitation on the map? Is there a feature for this or do I need to make a mathematical calculation?
The example query I want to alter is:
index=main lat/lon_within_circle=($lat_term$ $lon_term$ $radius_term$) earliest=-30m | geonormalize | eval _geo_count=coalesce(_geo_count,1) | stats sum(_geo_count) as _geo_count by _geo
How can I make this work?
Anthony
↧
Problem with Geospatial lookup and geom command
Hi All,
Posting this question, as I am new to Geospatial lookup and trying to configure it as per Michael Porath's blog (http://blogs.splunk.com/2015/10/01/use-custom-polygons-in-your-choropleth-maps/) .
I have received a shape file, which I have converted to KML format using the steps mentioned in it, but when I run the geom command it gives me a bunch of error message as below and splunkd crashes. Here is the few output from crash log.
04-11-2016 11:19:36.534 ERROR spatial:PointInPolygonIndex - wrote 18933 grid keys
04-11-2016 11:19:44.880 INFO spatial:Util - PIP index built successfully
04-11-2016 11:19:44.889 INFO SearchOperator:Geom - did not find clipped geometry in cache for featureCollection=bambi_aus_regions_old
04-11-2016 11:19:44.889 INFO SearchOperator:Geom - generalization=1.000000
04-11-2016 11:19:44.890 INFO spatial:PointInPolygonIndex - Num Keys in ray.key: 16923
04-11-2016 11:19:44.890 INFO spatial:PointInPolygonIndex - Num Keys in seg.key: 4331904
04-11-2016 11:19:44.890 INFO spatial:PointInPolygonIndex - Num Keys in grid.key: 18933
04-11-2016 11:19:44.890 INFO spatial:PointInPolygonIndex - memory mapping existing file: ray.key
04-11-2016 11:19:44.890 INFO spatial:timing:PointInPolygonIndex - memory mapped /opt/app/optier/splunk/etc/apps/BambiAdmin/lookups/bambi_aus_regions_old/ray.key in 0.001000 sec
04-11-2016 11:19:44.890 INFO spatial:PointInPolygonIndex - memory mapping existing file: ray.val
04-11-2016 11:19:44.890 INFO spatial:timing:PointInPolygonIndex - memory mapped /opt/app/optier/splunk/etc/apps/BambiAdmin/lookups/bambi_aus_regions_old/ray.val in 0.001000 sec
04-11-2016 11:19:44.890 INFO spatial:PointInPolygonIndex - memory mapping existing file: seg.key
04-11-2016 11:19:44.890 INFO spatial:timing:PointInPolygonIndex - memory mapped /opt/app/optier/splunk/etc/apps/BambiAdmin/lookups/bambi_aus_regions_old/seg.key in 0.001000 sec
04-11-2016 11:19:44.890 INFO spatial:PointInPolygonIndex - memory mapping existing file: seg.val
04-11-2016 11:19:44.890 INFO spatial:timing:PointInPolygonIndex - memory mapped /opt/app/optier/splunk/etc/apps/BambiAdmin/lookups/bambi_aus_regions_old/seg.val in 0.001000 sec
04-11-2016 11:19:44.890 INFO spatial:PointInPolygonIndex - memory mapping existing file: grid.key
04-11-2016 11:19:44.890 INFO spatial:timing:PointInPolygonIndex - memory mapped /opt/app/optier/splunk/etc/apps/BambiAdmin/lookups/bambi_aus_regions_old/grid.key in 0.001000 sec
04-11-2016 11:19:44.890 INFO spatial:PointInPolygonIndex - memory mapping existing file: grid.val
04-11-2016 11:19:44.890 INFO spatial:timing:PointInPolygonIndex - memory mapped /opt/app/optier/splunk/etc/apps/BambiAdmin/lookups/bambi_aus_regions_old/grid.val in 0.001000 sec
04-11-2016 11:19:44.892 WARN spatial:PointInPolygonIndex - requested tile was at y=-92 but returned tile as at -93
In one of my local environment the geom command does produce an output in stats option but in Choropleth map section I get an error as "problem memmapping".
I tried to break the kml file into small piece and then it works.
Can you advice what needs to be performed to fix this issue .
My KML file is around 76MB and the KMZ format it comes to 20 MB. Is there a limit on the size of KML file which splunkd can process.
↧
How can I draw a line between two cities in a dashboard?
All,
I am hoping to draw a line between two sets of lat/lon in a dashboard. Looks like Google API has this. But I can't be the first person who needs to draw a line between two sets of coordinates in Splunk. Is there a way to do this with existing tools?
thanks,
↧