|
I've been able to get AmMap to work with scheduled searches. Is there a way to get it to work in realtime? I thought I saw this demonstrated at the splunk live event in Washington DC last week. I've searched without much luck for an answer. The default AmMap app comes with a "Real Time AMMAP view" does anyone know how I put the data into this view. It doesn't appear to be the same file as the scheduled searches/ regular AmMap. Thanks, Jason |
|
Hi Jason, That view should be working, if not, you may want to try an updated build on splunkbase. The setup for this is simple though. Notice the HTML refers to a rt_settings file, you'll need to include that in the HTML you will be pulling in via a ServerSideInclude. The view XML looks like this: src_ip=* src_ip!=10.* src_ip!=192.* src_ip!=0.0.* | stats count by src_ip | eval count_label="Event" | eval iterator="src_ip" | eval iterator_label="IP" | eval movie_color="#FF0000" | eval output_file="rt_threat_data.xml" | eval app="amMap" | lookup geoip clientip as src_ip | mapit rt rt rt_map.html Notice the JobProgressIndicator jammed in there. This is so the real time search actually gets kicked off. Let us know if you need a hand getting this working. |
