I have my web log data going to splunk and have installed this app. I have obtained a key from honeypot database and have the threatscore request function returning threat scores if I pipe search request results to | lookup threatscore clientip as ... using my weblog index (wwwlogs) and searching for clientip=*.
When I lanch the app my critical network traffic dashboard states no results found. I appear to have some data in the KPI dashboard.
Any assistance here would be greatly appreciated on just how to make the dashboard work.
Thank You.
Thanks for that response but I don't see anything to really adjust in the xml for the view for this dashboard.
I had to adjust the search parameter portion of the Threat_Map_Overview view in Settings » User interface » Views » Threat_Map_Overview to something like this:
index=firewall | rename src as clientip | lookup threatscore clientip | where threatscore>0 | geoip clientip
You might have to do the same for the dashboard in question.
Sorry, I am a little thick in the head sometimes. I have located the searches under searches and report and can modify there. Thanks.
I see where in the XML for the view on the Threat_Map how I would modify the search but not sure on the critical_Network_Traffic dashboard exatly how to do the same sort of thing. I do need to modify my search as when I take the searchs and manually apply with the changes thyey appear to provide the data required.
One of the searches to populate that dashboard is Critical Network Traffic Analyzer: search = eventtype="ip_check" | stats count by src_ip dst_ip dst_port protocol | lookup threatscore clientip AS dst_ip | sort -threatscore
Do your fields match the search? It would help if you could provide some sample log data as well.
FYI: make sure to comment under my answer/post not your question otherwise I don't receive alert.