All Apps and Add-ons

Use googlemaps app instead of amMap for Cisco Security App?

dnolan
Explorer

Anyone tried to swap out the amMap flash map in the Cisco Security App and replace it with the new google maps app? How hard is it? How is the performance compared to the flash app? Any chance of the Cisco Security App gaining a configuration option to select which mapping app to use?

Will_Hayes
Splunk Employee
Splunk Employee

You win Ziegfried! The next release of the Cisco Security App will be utilizing you're brilliant work with Google Maps. I'm packing up my flash and going home! 😉

araitz
Splunk Employee
Splunk Employee

SPP 1, Bill Hayes 0 😉

0 Karma

ziegfried
Influencer

Yes, it is possible. You'll have to edit the cisco_security_overview view. It is located at

$SPLUNK_HOME/etc/apps/SplunkForCiscoSecurity/default/data/ui/cisco_security_overview.xml

As of line 33, replace this:

  <module name="HiddenSearch" layoutPanel="panel_row1_col1" group="" autoRun="True">
    <param name="search">eventtype="cisco*" OR eventtype="ironport*"  src_ip=* src_ip!=10.* src_ip!=192.* src_ip!=0.0.* | stats count by src_ip | eval count_label="Cisco Security Event" | eval iterator="src_ip" | eval iterator_label="IP" | eval movie_color="#FF0000" | eval output_file="rt_threat_data.xml" | eval app="SplunkforCiscoSecurity" | lookup geoip clientip as src_ip | ciscomap</param>
        <param name="earliest">rt</param>
        <param name="latest">rt</param>

<module name="JobProgressIndicator"/>
</module>
  <module name="LinkSwitcher" layoutPanel="panel_row1_col1" group="Cisco Security Events by Geo">
    <param name="mode">independent</param>
    <param name="label"> </param>
  <module name="ServerSideInclude"  group="Real Time" layoutPanel="panel_row1_col1">
    <param name="src">rt_map.html</param>
  </module>
  <module name="ServerSideInclude" group="Last 24 Hours" layoutPanel="panel_row1_col1">
    <param name="src">threat_map.html</param>
  </module>

</module>

with this:

<module name="TimeRangePicker" layoutPanel="panel_row1_col1">
    <param name="searchWhenChanged">true</param>
    <param name="default">All time (real-time)</param>
    <module name="HiddenSearch" group="" autoRun="True">
        <param name="search">eventtype="cisco*" OR eventtype="ironport*"  src_ip=* src_ip!=10.* src_ip!=192.* src_ip!=0.0.* | stats count as _geo_count by src_ip | geoip src_ip</param>
        <module name="GoogleMaps">
            <param name="autoPostProcess">false</param>
            <param name="height">350</param>
            <param name="mapType">terrain</param>
            <param name="mapTypeControl">on</param>
            <param name="navigationControl">on</param>
            <param name="scaleControl">on</param>
            <param name="scrollwheel">off</param>
        </module>
    </module>
</module>

The Google Maps app has to be installed prior doing this. Please create a backup of the view file first.

To see the changes, you have to reload the CiscoSecurity app (eg. click on the Splunk icon on the top left).

There are a few caveats using this solution:

  • Currently, no drill-down
  • You'll have to use the time-range picker instead of the link for realtime or last 24 hours

Let me know how this works for you.

tcgprez
New Member

I take it you never got an answer to this question? You didn't happen to figure it out yourself did you? If so, please do tell. Many thanks.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...