Archive

simple question about google maps app and how to work with

Explorer

Hi all,

I am using Google Maps App with the MAXMIND Addon.

I get a firewall log, like this (via syslog) :

Dec 1 14:58:05 15.166.100.200 Firewall: 1Dec2011 15:55:29 drop 15.166.100.200 >eth0 inzone: External; outzone: External; rule: 12; ruleuid: {648AE9D8}; rulename: cleaner1!; src: 65.111.222.333; dst: 15.166.100.200; proto: udp; product: VPN-1 & FireWall-1; service: domain-udp; s_port: 65106;

I am new in Splunk and I tried since the last days to use the public source IP Adresse to locate and paint it in the Google Maps app, without success.

I think I need to put the src field in the clientip field that the MAXMIND Addon can work with, because the src field is not known for the script.

It that right?

I would really appriciate any examples how to solve my problem.

Thanky you very much in advise

edit

I tried that :

  • | rex "(?\d+.\d+.\d+.\d+)" | eval clientip=src | lookup geoip clientip

It matched but there were no bubbles in my map.

Thanks !

Tags (2)
0 Karma

Contributor

Try:

| rex field=_raw "src: (?<ip>[^;]+)" | geoip ip

The rex should match on the "src: " text and include everything up to the semi-colon. You might need to escape the semi-colon with a . You don't need to run "lookup" for the Google Maps App (at least, I don').

Path Finder

So, I also downloaded the Google map app (MAXMIND) for Splunk.
I have the coordinates for each building and I want to display the location on google map with a line pointing to each snmp /mdf point in the building. Whenever I run the ip_src search - nothing is populated.
What can I next?

0 Karma