|
The Splunk for amMap Flash Maps app requires 5 fields in order to properly map plot your field values on the map. Those fields are: client_country client_region client_city client_lat client_lon These fields will most likely need to come from a look up file. Instructions on setting up a lookup can be found here |
|
Here you go: We need to create a csv lookup for your subnet field. In transforms.conf add: [csv_geoip] Next we create a csv file that outputs the fields expected by the amMap app. In lookups create a geo_info.csv and use the following header: clientip,client_country,client_region,client_city,client_lat,client_lon (You can change the clientip value to whatever your going to match on, we just need to make that adjustment in the search) So an example file could be: "subnet,"client_city","client_region","client_country","client_lat","client_lon" "1.16,Arkhangelsk,06,"Russian Federation","64.5667","40.5333" "192.23",Bucharest,10,Romania,"44.4333","26.1" "128.16",Leningradskiy,15,"Russian Federation","69.3833","178.4167" "10.19",Beijing,22,China,"39.9289","116.3883",1 "123.19",Moscow,48,"Russian Federation","55.7522","37.6156" Once you have that just make sure to use subnet in the lookup stanza. The example search would look like this: if you have subnet as a searchable field: | lookup csv_geoip if you want to match subnet on another field: | lookup csv_geoip subnet as src_subnet Once you have this the app should work as expected. Let me know if you have any other questions. |
