Thanks For Downloading!Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows: Windows: Decompress the downloaded file using a tool like 7-Zip and place the resulting folder into Unix/Linux: Decompress the downloaded file using a tool like DescriptionGoogle Maps for Splunk adds a geo-visualization module based on the Google Maps API and allows you to quickly plot geographical information on a map. Furthermore maps can be embedded in advanced dashboards. Professional Services and SupportThis add-on has been developed by SPP (http://www.spp.at/), a Splunk Partner located in Vienna, Austria. If you require support on getting solutions using Google Maps up and running, please contact splunk@spp.at. Licence and Terms of UseThis app is licensed under the terms of the Creative Commons license and provided as-is without any warranty. It uses thrird-party components that are licensed differently:
Using the Google Maps Search ViewThe App provides a flashtimeline-like view which allows you to simply enter a search and display the results on the map. In order to plot search results on the map they have to have some kind of location information attached. This location information has to be included in a field with the name _geo and has to be formatted as "<latitude>,<longitude>". Latitude and Longitude have to be expressed as floating point numbers. As an example "47.11,0.815" would be a valid _geo value. Other notations (like 47°12',...) are not supported. In most cases you don't have to build the _geo field yourself. The built-in geolocation lookup methods (geoip command and geo lookup) are emitting this field by default. In cases where you already have geolocation information in your results, you can leverage the geonormalize command to build the _geo value for you. Geolocation Lookup for IP addressesPerforming Gelocation Lookup on external IP addressesExternal IP address values can be easily translated to locations by using the built-in geoip command or the geo lookup. Examples:Perform a geolocation lookup for values of the clientip field in access_combined events: Performing Gelocation Lookup on internal IP addressesIn order to perform geolocation lookup on private IP address ranges you have to implement a lookup yourself. Splunk provides multiple ways to achieve this:
Performing combined Geolocation Lookup on IP adressesLookups for external and interal IP addresses can be easily combined. Examples:
Use existing geolocation information available in search resultsIt's common case that events already contain geo information. The geonormalize commandThe geonormalize command can detect existing fields containing the geoinformation and normalizes them for the GoogleMaps module. For doing this the command searches for field pairs (a latitude field and a longitude field) matching a name scheme. The values of those fields are then merged and emitted as the _geo field. The following name schemes are supported:
So for example when an event has the fields gps_lat=47.11 and gps_lon=0.815 the geonormalize command will detect those fields and emit the _geo field with the value 47.11,0.815. Example: Manual building the _geo fieldIf you don't want to use the geonormalize command or if the location fields do not match any naming scheme, you can manually build the _geo field. Example: Creating Dashboards with Google MapsThis add-on provides a Splunk UI module called GoogleMaps. This module can only be using in *advanced XML* dashboards. The usage of the module is quite similar to any built-in module in Splunk which displays results (like SimpleResultsTable, EventsViewer, etc.). Example: All available options to the module can be found at the module reference at your Splunk instance at http://localhost:8000/modules#Splunk.Module.GoogleMaps Versions and Release Notes
Version 1.1 (current version - updated May 31, 2011)
Version 1.1
(updated May 31, 2011)
release notes:
Internal changes
The module now uses the _geo field instead of the _lat and _lng fields to resolve the location. The geoip and the geonormalize command are now emitting this field. It contains the combined latitude/longitude information in the form <lat>,<lng> (eg. 47.11,0.815).
Geolocation Lookup
The geolocation lookup now uses the Maxmind GeoLite City database. The geoip command is now emitting different fields:
<field>_latitude, <field>_longitude, <field>_country_name, <field>_country_code, <field>_region_name, <field>_city, and the _geo field
UI Changes
- More configuration options for the module
- Scrollwheel zooming is turned off by default
- Streetview is turned off
- Introduced opacity for cluster icons (Only in Browsers supporting native opacity).
- Added new mapStyles (See dark view).
- The module now persist settings like center, zoom and map style.
- Removed fields side-panel
- Added 2 panel to kind-of debug the results (Geo Results and Events)
Drilldown
Version 1.0.1
(updated Aug 31, 2010)
release notes:
Google Maps Version 1.0.1
- Enhanced clustering of the results displayed on the Google Map
- Improved performance for both the geoip and geonormalize command
- Added a custom results header in the maps view which displays the count of results with geo information as well as the count of distinct locations
|
Great app! Very easy to use! The only glitch I've hit is that for one particular search, it seems to stop after 18000 total, not unique, geolocations. I am totally sure the search I am using to feed this app returns way more IPs than just 18000.
I'd totally recommend this app anyway
Hey,
Can this App be modified/used to show status of critical devices, plotted against the map. For example, if a machines state was "down" it would should red mark, if a machines state was "up" it would show a green mark?
Regards,
MHibbin
after compiling Maxmind C API where do i copy the libraries to to make Maps App happy when changing setup from pygeoip to geoip? the setup page says "The Maxmind C API provides superior performance compared to pygeoip but needs to be installed into the Splunk libraries"
also, my Splunk server needs to use proxy to get to internet, so where to configure that, or do all apps use the proxy settings in splunk-launch.conf ?
Hi,
Firstly great app!
One question though... When load a view with map on, the results are populated... only after I have manually dragged the map around. I wasn't sure if I need to use a certain "param" for this rendering.
Regards,
MHibbin
The results should render instantly. This sounds like a bug. What browser are you using?
why geoip only shows some events but not all...? supposably it has to show 4 million events for a sourcetype, it only shows 19,000!!
Using this on 4.3 and my overall CSS gets completely whacked out. Have you tested it on 4.3 yet?
What build and client OS/browser are you using? Just tried it with 4.3 beta build 111122 in Firefox and Safari and it seems to work fine.
+1 works on 4.3. but if you don't have an internet connection, you'll get errors.
Yup, Google Maps requires an internet connection.
is it possible to look up lat/long using zipcode if its already available in the search data?
Yes, this is possible. The app itself does not supply such a lookup table. You have to add it yourself (you should be able to find such a list on the internet somewhere easily). The lookup table has to supply the latitude and longitude. You can either use the geonormalize command after the lookup or use the eval command to construct the _geo field manually (see app description on how to do that).
Great app! Thanks a lot for sharing with the community.
Does it support commercial version of the MAXMIND db?
Yes, you should be able to use the commercial database from maxmind as well.
Hi,
as far as I can see, IPInfoDB has changed its format... Do yu plan to migrate your app to the new format?
cheers, Andy
P.S.: Great App!!
Actually no, since they also changed their usage terms, the Maxmind geolocation database will be leveraged instead.
