Archive

Use googlemaps app instead of amMap for Cisco Security App?

Explorer

Anyone tried to swap out the amMap flash map in the Cisco Security App and replace it with the new google maps app? How hard is it? How is the performance compared to the flash app? Any chance of the Cisco Security App gaining a configuration option to select which mapping app to use?

Splunk Employee
Splunk Employee

You win Ziegfried! The next release of the Cisco Security App will be utilizing you're brilliant work with Google Maps. I'm packing up my flash and going home! 😉

Splunk Employee
Splunk Employee

SPP 1, Bill Hayes 0 😉

0 Karma

Influencer

Yes, it is possible. You'll have to edit the cisco_security_overview view. It is located at

$SPLUNK_HOME/etc/apps/SplunkForCiscoSecurity/default/data/ui/cisco_security_overview.xml

As of line 33, replace this:

  <module name="HiddenSearch" layoutPanel="panel_row1_col1" group="" autoRun="True">
    <param name="search">eventtype="cisco*" OR eventtype="ironport*"  src_ip=* src_ip!=10.* src_ip!=192.* src_ip!=0.0.* | stats count by src_ip | eval count_label="Cisco Security Event" | eval iterator="src_ip" | eval iterator_label="IP" | eval movie_color="#FF0000" | eval output_file="rt_threat_data.xml" | eval app="SplunkforCiscoSecurity" | lookup geoip clientip as src_ip | ciscomap</param>
        <param name="earliest">rt</param>
        <param name="latest">rt</param>

<module name="JobProgressIndicator"/>
</module>
  <module name="LinkSwitcher" layoutPanel="panel_row1_col1" group="Cisco Security Events by Geo">
    <param name="mode">independent</param>
    <param name="label"> </param>
  <module name="ServerSideInclude"  group="Real Time" layoutPanel="panel_row1_col1">
    <param name="src">rt_map.html</param>
  </module>
  <module name="ServerSideInclude" group="Last 24 Hours" layoutPanel="panel_row1_col1">
    <param name="src">threat_map.html</param>
  </module>

</module>

with this:

<module name="TimeRangePicker" layoutPanel="panel_row1_col1">
    <param name="searchWhenChanged">true</param>
    <param name="default">All time (real-time)</param>
    <module name="HiddenSearch" group="" autoRun="True">
        <param name="search">eventtype="cisco*" OR eventtype="ironport*"  src_ip=* src_ip!=10.* src_ip!=192.* src_ip!=0.0.* | stats count as _geo_count by src_ip | geoip src_ip</param>
        <module name="GoogleMaps">
            <param name="autoPostProcess">false</param>
            <param name="height">350</param>
            <param name="mapType">terrain</param>
            <param name="mapTypeControl">on</param>
            <param name="navigationControl">on</param>
            <param name="scaleControl">on</param>
            <param name="scrollwheel">off</param>
        </module>
    </module>
</module>

The Google Maps app has to be installed prior doing this. Please create a backup of the view file first.

To see the changes, you have to reload the CiscoSecurity app (eg. click on the Splunk icon on the top left).

There are a few caveats using this solution:

  • Currently, no drill-down
  • You'll have to use the time-range picker instead of the link for realtime or last 24 hours

Let me know how this works for you.

New Member

I take it you never got an answer to this question? You didn't happen to figure it out yourself did you? If so, please do tell. Many thanks.

0 Karma