I'm seeking an answer on how to do a search within Splunk that notified you when something/someone is entering a particular Lat/Lon within a specific radius. Is basically Geofencing
We have a device that is sending Lat/ Lon every 30s and manually we added specific Lat / Lon & radius.
Right now, we are not too sure on how to do the search that tell Splunk that a particular Device has entered the specific area.
Appreciate any help on this
a quick and easy way to do this cloud be that you don't use a radius, but use a rectangle or geo box as your area. You can specify the lower left hand corner and the upper right hand corner in your search like this:
your base search here to get lat lon | where lat<-42 AND lon>175 OR lat<-40 AND lon>173 | geostats count
Hope this helps to get you started ...
May i assume that "lat<-42 AND lon>175 OR lat<-40 AND lon>173" is the rectangle or geo box?
In my design layout, I'll probably let the user define their own radius/rectangle/geo box instead of having it in the search.
I guess my question is, who you be able to explain to me what does the 'lat<-42 AND lon>175 OR lat<-40 AND lon>173" mean so i can incorporate it into the design layout and save it as a lookup file.
what does the 'lat<-42 AND lon>175 OR lat<-40 AND lon>173" mean
To my opinion this command has a mistake and will not capture the desired events.
If you want the user to be able to create their own "geo fence", you can create a dashboard with text input fields for the lower left coordinates and the upper right coordinates, and then set up your search using the tokens from these fields:
basesearch_creating_lat_and_lon | where lat>$lower_left_lat$ AND lat<$upper_right_lat AND lon>$lower_left_lon AND lon<$upper_right_lon
This will capture all events, where the lat and lon values are inside the defined boundary box.
Be aware: There is no check, if the user defines valid values here! If you enter invalid values, the search will give wrong (or no) results. So maybe you should do some sanity checks as well.
Hi @DMohn, thanks for your input.
Both our searches return the same result. Maybe I use a more confusing way to set the bounding box, but this works perfect since I use it in many dashboards 🙂
Your radius example is very nice and if the question wasn't posted here, my answer would have been to use
gpsbabel which makes it a lot easier:
gpsbabel -i inputtype -f file -x radius,distance=1.5M,lat=30.0,lon=-90.0 -o outputtype -F outputfile
Yeah, we are doing a dashboard with text input fields or just CSV.
As for the left and upper right coordinates, are you able to explain more on it or is there a link for me to read up? So i can better understand and teach my user what to input for the left and upper right coordinates.
Won't a radius be easier to input (e.g. 2000m) than having to input both Left and Upper right coordinates?
Also, will this type of search be extensive as it will keep looking up to the coordinate to determine if is within the marked area.
You can have a look on this page: http://boundingbox.klokantech.com/
It's a tool that will allow you to draw a box on a map, and output the geographical coordinates of the box boundaries.
Very roughly explained: If you have two points in a coordinate system, these pints will allow you to draw a rectangle box with these points as lower left and upper right corners. So a geo boundary box can as well be defined by these two points.
Yes, a radius will be easier to input, but you will have to do the full maths to calculate the distance between your coordinates and your center point. If you want to go that way AND your distance calculation doesn't have to be 100% accurate, you can approximate the distance by using Pythagorean theorem to calculate. And you will need the geographical distance constants to to the conversion between a angular distance to a actual distance. The longituinal constant is 111.3, the latitudinal constant varies with the latitude, and can be calculated by 111.3 * cos(lat) - for central europe for example it's 71.5
So you need the following values:
latconst => latitudinal constant (calculate!)
lonconst => 111.3
search_dist => Search radius (in km)
center_lat => latitude of your search center
center_lon => longitude of your search center
Maybe the formula is a bit complicated, but it will do the trick:
basesearch_creating_lat_and_lon | eval latdist = latconst * abs(center_lat - lat) | eval londist = lonconst * abs(center_lon - lon) | eval dist = sqrt(pow(latdist,2)+pow(londist,2)) | where dist < search_dist
Let me read the link and digest it and come back to you if i've any questions.
Anyway your explanation is pretty clear and easy to understand. You're like the expert for Map Coordinates 🙂
You could eval a bounding box based off a radius input. But don't forget the distance between degrees of longitude and latitude changes depending on where you are. EG at the north pole there is essentially zero distance between any longitude line.
So you're going to have to have a pretty complicated expression.
Also you might want to check out the google apis: https://developers.google.com/places/. It might be easier to do the geolocation alerting outside of splunk
I did consider doing the entire Geolocation, marking and alert outside of Splunk. But my entire system is build within Splunk so that is going to be slightly challenging.
Also, how is the other system going to pick up the data that is flowing directly into Splunk? That is the part i couldn't figure out. Do you have a suggestion?