I have my web log data going to splunk and have installed this app. I have obtained a key from honeypot database and have the threatscore request function returning threat scores if I pipe search request results to | lookup threatscore clientip as ... using my weblog index (wwwlogs) and searching for clientip=*.
When I lanch the app my critical network traffic dashboard states no results found. I appear to have some data in the KPI dashboard.
Any assistance here would be greatly appreciated on just how to make the dashboard work.
I had to adjust the search parameter portion of the Threat_Map_Overview view in Settings » User interface » Views » Threat_Map_Overview to something like this:
index=firewall | rename src as clientip | lookup threatscore clientip | where threatscore>0 | geoip clientip
You might have to do the same for the dashboard in question.
I see where in the XML for the view on the ThreatMap how I would modify the search but not sure on the criticalNetwork_Traffic dashboard exatly how to do the same sort of thing. I do need to modify my search as when I take the searchs and manually apply with the changes thyey appear to provide the data required.
One of the searches to populate that dashboard is Critical Network Traffic Analyzer: search = eventtype="ip_check" | stats count by src_ip dst_ip dst_port protocol | lookup threatscore clientip AS dst_ip | sort -threatscore
Do your fields match the search? It would help if you could provide some sample log data as well.
FYI: make sure to comment under my answer/post not your question otherwise I don't receive alert.