The Splunk for amMap Flash Maps app requires 5 fields in order to properly map plot your field values on the map. Those fields are:
client_country client_region client_city client_lat client_lon
These fields will most likely need to come from a look up file. Instructions on setting up a lookup can be found here
@Will-Hayes,
Is it possible to use AmMap to display a devices status (up/down, green/red) by location?
Regards,
MHibbin
Hello Will, i have the same question, i like to map 30 ip address ranges to german city geo informations.
How could I setup thi internal ip-address list, to map it again to geo informations?
Do you have a example for me?
BR Michael
Here you go:
We need to create a csv lookup for your subnet field.
In transforms.conf add:
[csv_geoip]
filename = geo_info.csv
Next we create a csv file that outputs the fields expected by the amMap app. In lookups create a geo_info.csv and use the following header:
clientip,client_country,client_region,client_city,client_lat,client_lon
(You can change the clientip value to whatever your going to match on, we just need to make that adjustment in the search)
So an example file could be:
"subnet,"client_city","client_region","client_country","client_lat","client_lon" "1.16,Arkhangelsk,06,"Russian Federation","64.5667","40.5333" "192.23",Bucharest,10,Romania,"44.4333","26.1" "128.16",Leningradskiy,15,"Russian Federation","69.3833","178.4167" "10.19",Beijing,22,China,"39.9289","116.3883",1 "123.19",Moscow,48,"Russian Federation","55.7522","37.6156"
Once you have that just make sure to use subnet in the lookup stanza.
The example search would look like this:
if you have subnet as a searchable field: | lookup csv_geoip
if you want to match subnet on another field: | lookup csv_geoip subnet as src_subnet
Once you have this the app should work as expected.
Let me know if you have any other questions.
Will
I'm a little unclear on how to link the geo data to internal subnets. Are you able to provide an example?