Google GeoCode app is a way to translate your address fields into (latitude,longitude) and also reverse i.e. (latitude,longitude) into Address. Just use the command "printgeocode" in pipeline to your Splunk search command and convert your address to geolocation points or vice versa.
Version: 1.7.0
Any Operating system (tested on Windows 7/10 and Linux)
Splunk 6.4, 6.5, 6.6
your splunk query|printgeocode type=geocode address=Address_field
Geocoding returns three new fields: geolocation_status, geolocation_lat and geolocation_lon
OR
your splunk query|printgeocode type=reverse latfield=latfieldname lonfield=lonfieldname
Reverse Geocoding returns two new fields: geolocation_status and geolocation_addr
Where type=geocoding tells the app that it is geocoding and type=reverse indicates that it is Reverse Geocoding
Address_field is the name of the text field in your data which contains a valid address. latfieldname and lonfieldname are fields containing values of latitude and longitudes of an geopoint respectively.
The output fields are prefixed with keyword geolocation.
index=test sourcetype="users_addresses"
| head 2
| table first_name last_name address city country Address
| printgeocode type=geocode address=Address
index=test sourcetype="users_addresses"
| head 2
| table first_name last_name address city country Address
| printgeocode type=geocode address=Address
| geostats count latfield=geolocation_lat longfield=geolocation_lon
index=test sourcetype="user_latlon"
| head 5
| table policyID line county point_latitude point_longitude
| printgeocode type=reverse latfield=point_latitude lonfield=point_longitude
As simple as looking for a location on Maps :)
The Google API Key entered on the setup page is stored as password in encrypted format at Rest Endpoint path:
https://<SPLUNK_SEARCH_HEAD_URL>:8089/servicesNS/nobody/GoogleGeoCode/storage/passwords
The password is retrieved, decrypted and then the API is invoked. It is stored at $SPLUNK_HOME/etc/apps/GoogleGeoCode/local/passwords.conf
[credential::Test Server Key:]
password = $1$DLLZaK+SYHMnEAonrZi7vpuOEpJUXvi3cX3mV1fonSgdiiz3ZR2BHg==
The field geolocation_status is an indicator of the status from Google's Geolocation API. If everything is okay (input, quota of API key and Internet connection), the status will be "OK". Below are some of the status returned by Google's API-
If you get an error "OVER_QUERY_LIMIT", you can try below options -
Option1: Get a new Key and put that value in myconfig.py. Restart Splunk search head, the results should be good.
Option 2: Wait for midnight PST timezone for the limit to rest :)
When you run the command, the information is logged into $SPLUNK_HOME/var/log/googlegeocode.log
2018-05-02 14:10:35,167 INFO In Reverse Geocode function
2018-05-02 14:10:37,578 INFO Status from Google GeoCoding API is OK
2018-05-02 14:21:28,525 INFO In Reverse Geocode function
2018-05-02 14:21:30,733 INFO Status from Google GeoCoding API is OK
More information and code is avaialble here:
The app uses the Google's Geocoding API. Here's the link to their documentation
Geocoding is the process of converting addresses (like "1600 Amphitheatre Parkway, Mountain View, CA") into geographic coordinates (like latitude 37.423021 and longitude -122.083739), which you can use to place markers on a map, or position the map.
Reverse geocoding is the process of converting geographic coordinates into a human-readable address.
The Google Maps Geocoding API provides a direct way to access these services via an HTTP request. The following example uses the Geocoding service through the Google Maps JavaScript API to demonstrate the basic functionality.
For any issues or questions, please reach out to: meenal.luktuke@gmail.com
We provide only Level-1 support for this application.
Changed API from geopy to Google
Added error handling using field - geolocation_status
Added error handling with a new field - geolocation_status
Added conf for syntax highlighting
Added feature for Reverse Geocoding
Changed file permissions
Added code for setup.xml
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.