Hi,
Currently in my data, I have latitude and longitude info for all locations around the world. Is there a way or a handy function available in Splunk to map the latitude and longitude into the corresponding timezone?
For example, as to a specific location in city of San Francisco, the time zone should be mapped to "Pacific Time Zone". Moreover, once we have the time zone mapped, could we go one step forward to get the time offset/delta to UTC? With the same example, for locations in San Francisco, the time offset to UTC is "-08:00".
Thank you!
↧
What function or command can I use for Splunk to map the latitude and longitude into corresponding timezones?
↧
How to create a choropleth map using state abbreviations?
Does anyone know if/how you can create a choropleth map in Splunk using state abbreviations? I have been trying the following search but to no avail.
index=traffic sourcetype="traffic_logs" | stats count(id) | geom geo_us_states featureIdField=driver_state gen=0.1 min_x=-130.5 min_y=37.6 max_x=-130.1 max_y=37.7
↧
↧
Using logs with IP addresses, how can I develop a search that defines remote login from a different geolocations within 1 hour?
I need to define Remote login from different locations within 1 hour, but my vpn log doesn't have information concerning the country, it just shows the IP. How can I do that?
↧
Best Splunk IP geolocation and Internet route registry lookup utility
I'm looking for the best Splunk IP geolocation and IRR lookup utility (doesn't have to be necessarily free and doesn't have to be one tool).
Ideally it should provide the following info: country code, country name, city, latitude, longitude, ASN number, ASN org name, BGP network prefix, prefix name from the route registry
What I have found so far:
- Splunk builtin Iplocation [https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Iplocation][1]
- Main issues: No route registry information, no country code, no BGP data
- geoip from from Google Maps [https://splunkbase.splunk.com/app/368/][2]
- Main issues: obsolete, no route registry information
- Geo ASN [https://splunkbase.splunk.com/app/576/][3]
- Main issues: obsolete, no country code
I guess most of that job should do simple script using free MaxMind database. I'm somehow surprised I can't find anything like that but I could have overlooked something obvious.
Any other suggestions with regards to up to date tools?
[1]: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Iplocation
[2]: https://splunkbase.splunk.com/app/368/
[3]: https://splunkbase.splunk.com/app/576/
↧
Aggregation of logs matching the radius of specific location information
There is a question about the search method.
I want to total logs matching the 500 m radius of the position information of the master data from the log containing the position information.
**Our Log Spec**
2017-02-01 17:29:28:986+0900 event_id="12345678" latitude="38.250938415527344" longitude="140.93927001953125" ...
**Want to output**
I want to count the logs that match the 500 m radius of latitude and longitude of master data (shop_name ~ longitude).
![alt text][1]
[1]: https://dl2.pushbulletusercontent.com/UzK0N4jWo7kxOkS45KgfCkyJnaIw01EF/file
**Tried method**
1.Upload master data with CSV, calculate radius, execute subquery
host=hogehoge [inputlookup MASTER.csv | eval w_lng = longitude - (500 / 30.8184 * 0.000277778) | eval w_lat = latitude - (500 / 25.2450 * 0.000277778) | eval e_lng = longitude + (500 / 30.8184 * 0.000277778) | eval e_lat = latitude + (500 / 25.2450 * 0.000277778) | table shop_name address longitude latitude w_lng w_lat e_lng e_lat]
2.Generate and execute search queries in eval in subqueries
host=hogehoge [inputlookup MASTER.csv | eval w_lng = longitude - (500 / 30.8184 * 0.000277778) | eval w_lat = latitude - (500 / 25.2450 * 0.000277778) | eval e_lng = longitude + (500 / 30.8184 * 0.000277778) | eval e_lat = latitude + (500 / 25.2450 * 0.000277778) | table shop_name address longitude latitude w_lng w_lat e_lng e_lat | eval search = "(longitude >= " . w_lng ." AND latitude >= " . w_lat . ") AND (longitude <= " . e_lng ." AND latitude <= " . e_lat . ")" | fields search]
Neither method failed.
I would be pleased if you could advise me if there is any way to think about it.
↧
↧
Query Help - Traffic stats by IP & Geolocation
I'm reaching out to the Splunk community once again for some query help. I'm trying to find all the traffic going through my proxies, specifically the IPs and their geolocation. Does this seem feasible?
Thanks in advance!
↧
Mapping the location of a TrueClientIP on a Cluster or Choropleth Map.
Is it possible to Map out the locations of the 'TrueClientIP' Field in a search using either a Cluster or Choropleth Map.
I have the below Search that shows me any website activity with an "UNKNOWN" Redirect URL and "UNKNOWN" Cookie Date and would like to Chart the location of where the TrueClientIP is coming from/based (Public IP).
sourcetype=iis CookieData="\"UNKNOWN\"" RedirectTo="\"UNKNOWN\"" TrueClientIP!="\"UNKNOWN\"" TrueClientIP!="\"127.0.0.1\"" | timechart minspan=1h count by TrueClientIP limit=5 usenull=f useother=f
Are you aware of a way that Splunk can pick up the location of a Public IP by its IP Address? Is there any third party apps etc. or way I can link this Data into my search and show this on a Map.
Regards
Jonathan
↧
Displaying a marker for each event
I'm trying to display markers on a map using Splunk. I'm currently trying out `geostats` but i don't seem to get it working.
The latitude is stored as `DevEUI_location.DevLAT` and longitude as `DevEUI_location.DevLON`.
I have tried the following:
`host=jan DevEUI_location | geostats latfield=DevEUI_location.DevLAT longfield=DevEUI_location.DevLON` --> Displays nothing on map
`host=jan DevEUI_location | geostats latfield=DevEUI_location.DevLAT longfield=DevEUI_location.DevLON count` --> Displays 1 big circle
I would like a marker or indicator for each event. Any idea how to do this?
Thanks
↧
How to create a circle around a lat/lon on Splunk Map by distance
Situation:
I need to create a circle of about 400km around a particular lat/lon on Splunk Maps and whenever an object which is also defined by a lat/lon enters within the area of 400km, I should be able to get an alert and view it real time and also be able to see when it leaves this particular area.
Haversine:
I was able to download the app but was not able to make it work by any means.
I would really really appreciate your input and help with this.
Thanks so much.
Rohit
↧
↧
Heat map using a zip code
Hi,
I have the below data in a csv file. I'd like to create a heat map with the count(zip_code) number inside the marker. Any thoughts on how I would go about this? Many thanks!!!
ZIP_CODE COUNT(ZIP_CODE) LAT Long
89148 1052 36.06 -111.87
85255 924 33.66 -111.94
85254 799 33.61 -112.24
85383 787 33.76 -112.18
85308 672 33.66 -97.76
73099 666 35.51 -76.3
23320 656 36.67 -111.89
85260 654 33.61 -76.04
23456 644 36.73 -115.13
89031 636 36.27 -76.04
23464 629 36.73 -95.78
74012 615 36.03 -97.41
73013 601 35.67 -115.04
89012 586 36 -76.04
23462 569 36.73 -97.51
↧
haversine app: calculate speed and distance covered in a time series based on the previous event
I was hoping someone can help with haversine usage (or another command if there is something more appropriate).
I am using GPS data which looks like this:
Event 1:
84.6 59 84.3 59 84.3 110
↧
use a map of a single nation in geostats command
Hi at all,
I need to display a geodistribution of my events on a cluster map of a single nation (Italy) instead the zoomable full world.
How can I do it?
Thank you.
Bye.
Giuseppe
↧
Okta Events API vs Okta System Log API?
It looks to me (based on the curl test under the details tab) that the Splunk Okta API queries the Events API and not the Okta System Log API.
Any plans to make a query for the System Log API? We're after the geolocation info. Using a whois lookup on the IP appears to be less accurate than whatever Okta does internally.
↧
↧
How can I implement real-time vehicle tracking for India using Splunk?
Hi All,
I am trying to implement a vehicle tracking for Country India using splunk? it should be real time tracking. How can i get the map for india and vehicle tracking.
Can anyone help me with this.
Regards,
Santosh.
↧
How can I use Geolocation of a private IP space?
I want to use the geostats feature but how do I do so on a private WAN and the syslog does not have Lat Long fields/raw data? I have an eval that assigns a city to an address space, is there a way to tack onto this eval/lookup a way to plug in Lat and Long? I don't mind having to manually input the Lat Long in the .csv, but I don't know how to make splunk read those fields in the lookup table and output the map with location.
↧
updating geolocation DB
Currently, we are running 6.6.2 and are using the geolite2 DB to do the iplocation mapping.
I have read the following articles:
https://www.splunk.com/blog/2014/07/22/updating-the-iplocation-db.html
http://www.georgestarcher.com/splunk-updating-the-geoip-database/
However, maxmind states that this DB is End of Life'd. There will be no additional updates after next month.
https://support.maxmind.com/geolite-legacy-discontinuation-notice/
How is Splunk going to handle these lookups in the future? What method of updating will be done?
We have been debating creating a lookup table that utilizes BGP routes. Is there a best practice or built in functionality that accomplishes this already?
We looked at ASNGenerator, but this also relies on the End of Life data from maxmind.
↧
Search on Lat/ Lon within a specific radius
Hi Everyone,
I'm seeking an answer on how to do a search within Splunk that notified you when something/someone is entering a particular Lat/Lon within a specific radius. Is basically Geofencing
We have a device that is sending Lat/ Lon every 30s and manually we added specific Lat / Lon & radius.
Right now, we are not too sure on how to do the search that tell Splunk that a particular Device has entered the specific area.
Appreciate any help on this
↧
↧
How to create an alert for login activity by same userID, different geoLoc, within time range?
I am working with some WAF logs that provide a correlation from sourceIP to city_name, country_name, latitude, and longitude, but not state information. I am currently only looking at the United States.
I need to somehow enrich the data to help filter user logins by time and distance between last login or if there are parallel logins going on.
Please advise where I might start.
Thank you
↧
How to Create "Impossible Travel" Security Monitoring Use Case with pure SPL
I have some reservations about the usefulness of this with so much more usage of IaaS/PaaS/SaaS these days...but since this is non-trivial to produce, I thought I would save everyone the work of developing from scratch if it is something you'd like to monitor. I would also like to note, this has bubbled up activity that was unauthorized/malicious in my experience...so maybe it's not useless...
This uses a macro built on the search string provided by @MuS in this post: https://answers.splunk.com/answers/90694/find-the-distance-between-two-or-more-geolocation-coordinates.html#answer-568450
Prerequisites:
1. normalized fields: user, src_ip
2. geodistance macro
3. ***well filtered*** base search of 10000 or less events **OR**
4. streamstats `limits.conf` `max_stream_window = ` **DO NOT RAISE THIS ARBITRARILY** in my environment I have raised this to an upper limit of +10% of my average base events (to include my max) over the past month after doing a LOT of filtering in the base search
5. filtering clauses to get this down to a manageable number of results
↧
Change Geo Map one country font size
Hi all, I'm using standard `geostats` then `count country`in cluster map for one of my dashboard map display. I wonder if it's possible to change one of country's font size displayed on map? **Just one**, not all.
I have admin access and it's ok if we need to change server config files.
Thanks a lot!
↧