Dashboards & Visualizations

IP reputation app and nothing in Critical Network traffic dashborad

blmurphy
Explorer

I have my web log data going to splunk and have installed this app. I have obtained a key from honeypot database and have the threatscore request function returning threat scores if I pipe search request results to | lookup threatscore clientip as ... using my weblog index (wwwlogs) and searching for clientip=*.

When I lanch the app my critical network traffic dashboard states no results found. I appear to have some data in the KPI dashboard.

Any assistance here would be greatly appreciated on just how to make the dashboard work.
Thank You.

0 Karma

blmurphy
Explorer

Thanks for that response but I don't see anything to really adjust in the xml for the view for this dashboard.

0 Karma

Adrian
Path Finder

I had to adjust the search parameter portion of the Threat_Map_Overview view in Settings » User interface » Views » Threat_Map_Overview to something like this:

index=firewall | rename src as clientip  | lookup threatscore clientip | where threatscore>0 | geoip clientip

You might have to do the same for the dashboard in question.

0 Karma

blmurphy
Explorer

Sorry, I am a little thick in the head sometimes. I have located the searches under searches and report and can modify there. Thanks.

0 Karma

blmurphy
Explorer

I see where in the XML for the view on the Threat_Map how I would modify the search but not sure on the critical_Network_Traffic dashboard exatly how to do the same sort of thing. I do need to modify my search as when I take the searchs and manually apply with the changes thyey appear to provide the data required.

0 Karma

Adrian
Path Finder

One of the searches to populate that dashboard is Critical Network Traffic Analyzer: search = eventtype="ip_check" | stats count by src_ip dst_ip dst_port protocol | lookup threatscore clientip AS dst_ip | sort -threatscore

Do your fields match the search? It would help if you could provide some sample log data as well.

FYI: make sure to comment under my answer/post not your question otherwise I don't receive alert.

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...