Splunk Search

Search on Lat/ Lon within a specific radius

Imjusttesting
Explorer

Hi Everyone,
I'm seeking an answer on how to do a search within Splunk that notified you when something/someone is entering a particular Lat/Lon within a specific radius. Is basically Geofencing

We have a device that is sending Lat/ Lon every 30s and manually we added specific Lat / Lon & radius.

Right now, we are not too sure on how to do the search that tell Splunk that a particular Device has entered the specific area.

Appreciate any help on this

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi lmjusttesting,

a quick and easy way to do this cloud be that you don't use a radius, but use a rectangle or geo box as your area. You can specify the lower left hand corner and the upper right hand corner in your search like this:

 your base search here to get lat lon | where lat<-42 AND lon>175 OR lat<-40 AND lon>173 | geostats count

Hope this helps to get you started ...

cheers, MuS

0 Karma

Imjusttesting
Explorer

Thanks Mus,

May i assume that "lat<-42 AND lon>175 OR lat<-40 AND lon>173" is the rectangle or geo box?

In my design layout, I'll probably let the user define their own radius/rectangle/geo box instead of having it in the search.

I guess my question is, who you be able to explain to me what does the 'lat<-42 AND lon>175 OR lat<-40 AND lon>173" mean so i can incorporate it into the design layout and save it as a lookup file.

Many thanks
ZhaoYong

0 Karma

DMohn
Motivator

what does the 'lat<-42 AND lon>175 OR lat<-40 AND lon>173" mean

To my opinion this command has a mistake and will not capture the desired events.

If you want the user to be able to create their own "geo fence", you can create a dashboard with text input fields for the lower left coordinates and the upper right coordinates, and then set up your search using the tokens from these fields:

 basesearch_creating_lat_and_lon | where lat>$lower_left_lat$ AND lat<$upper_right_lat AND lon>$lower_left_lon AND lon<$upper_right_lon

This will capture all events, where the lat and lon values are inside the defined boundary box.

Be aware: There is no check, if the user defines valid values here! If you enter invalid values, the search will give wrong (or no) results. So maybe you should do some sanity checks as well.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi @DMohn, thanks for your input.
Both our searches return the same result. Maybe I use a more confusing way to set the bounding box, but this works perfect since I use it in many dashboards 🙂
Your radius example is very nice and if the question wasn't posted here, my answer would have been to use gpsbabel which makes it a lot easier:

gpsbabel -i inputtype -f file -x radius,distance=1.5M,lat=30.0,lon=-90.0 -o outputtype -F outputfile

cheers, MuS

0 Karma

Imjusttesting
Explorer

Thanks DMohn,

Yeah, we are doing a dashboard with text input fields or just CSV.

As for the left and upper right coordinates, are you able to explain more on it or is there a link for me to read up? So i can better understand and teach my user what to input for the left and upper right coordinates.

Won't a radius be easier to input (e.g. 2000m) than having to input both Left and Upper right coordinates?
Also, will this type of search be extensive as it will keep looking up to the coordinate to determine if is within the marked area.

0 Karma

DMohn
Motivator

You can have a look on this page: http://boundingbox.klokantech.com/
It's a tool that will allow you to draw a box on a map, and output the geographical coordinates of the box boundaries.
Very roughly explained: If you have two points in a coordinate system, these pints will allow you to draw a rectangle box with these points as lower left and upper right corners. So a geo boundary box can as well be defined by these two points.

Yes, a radius will be easier to input, but you will have to do the full maths to calculate the distance between your coordinates and your center point. If you want to go that way AND your distance calculation doesn't have to be 100% accurate, you can approximate the distance by using Pythagorean theorem to calculate. And you will need the geographical distance constants to to the conversion between a angular distance to a actual distance. The longituinal constant is 111.3, the latitudinal constant varies with the latitude, and can be calculated by 111.3 * cos(lat) - for central europe for example it's 71.5

So you need the following values:
latconst => latitudinal constant (calculate!)
lonconst => 111.3
search_dist => Search radius (in km)
center_lat => latitude of your search center
center_lon => longitude of your search center

Maybe the formula is a bit complicated, but it will do the trick:

 basesearch_creating_lat_and_lon | eval latdist = latconst * abs(center_lat - lat) | eval londist = lonconst * abs(center_lon - lon) | eval dist = sqrt(pow(latdist,2)+pow(londist,2)) | where dist < search_dist

Imjusttesting
Explorer

Thanks DMohn,

Let me read the link and digest it and come back to you if i've any questions.

Anyway your explanation is pretty clear and easy to understand. You're like the expert for Map Coordinates 🙂

Appreciate it
iJT 🙂

jplumsdaine22
Influencer

You could eval a bounding box based off a radius input. But don't forget the distance between degrees of longitude and latitude changes depending on where you are. EG at the north pole there is essentially zero distance between any longitude line.

http://factually.gizmodo.com/how-precise-is-one-degree-of-longitude-or-latitude-1631241162

So you're going to have to have a pretty complicated expression.

Also you might want to check out the google apis: https://developers.google.com/places/. It might be easier to do the geolocation alerting outside of splunk

0 Karma

Imjusttesting
Explorer

Thanks Jplumsdaine22,
I did consider doing the entire Geolocation, marking and alert outside of Splunk. But my entire system is build within Splunk so that is going to be slightly challenging.

Also, how is the other system going to pick up the data that is flowing directly into Splunk? That is the part i couldn't figure out. Do you have a suggestion?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...