* Deprecation Warning: Please be aware that this tutorial will not work on Splunk versions 6.2 and above.
One of my recent blog posts/screencasts discusses how to integrate CartoDB into Splunk in order to provide a cool map with some animations. Now, we’re going to move on to the next level. This three-part blog post/screencast combo allows for even more visual control and enables you to drill deeper into the details you’re looking for.
More specifically, we will be going through the steps of creating a custom Threat Map. During this process we will be using Google Maps, which is fortunately already built into Splunk. We will be using the Splunk Web Framework to build out our app.
Part 1 will cover the basics of setting up a Google Map in Splunk with the Splunk Web Framework. Part 2 will show how to customize the map and add our awesome custom threat skull icons. Finally, part 3 portrays how to pass token values from this map to another visualization (in this case, an area chart that will show how many times a source ip hit our firewall over a period of time).
UFW logs indexed by Splunk will be used for these examples, but can replace them with your own logs. Any will do as long as you can pull out the latitude and longitude properties in your search.
The attractive thing about Google Maps is we can use some custom icons. In this specific scenario, we are going to use skulls to represent the amount of times a specific IP hits our firewall. The more times a specific ip hits our firewall the bigger the skull icon will get (as they represent a potentially bigger threat), and they will change color as well.
Here’s what the end result will look like: