icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Google Maps Add-on for Splunk Enterprise
SHA256 checksum (google-maps-add-on-for-splunk-enterprise_113.tgz) 5f389039b293742b45301913a79e3f71f3e1d0543267cab2778da175be0bf47f SHA256 checksum (google-maps-add-on-for-splunk-enterprise_112.tgz) 627cd0088ccea1af92273837783e1b6e1a85e56611d231e047cff697eab3a4a9 SHA256 checksum (google-maps-add-on-for-splunk-enterprise_111.tgz) e5346dda2972fe67a3c48b035ba0fcd146f379cba54fec687016e6eead773573 SHA256 checksum (google-maps-add-on-for-splunk-enterprise_11.tgz) 7151d9a9bc4243649cef315d75b273a6eb41324b5b973550ee94f44483f2412f SHA256 checksum (google-maps-add-on-for-splunk-enterprise_101.tgz) ab923a8be6987277fb91363219b2556e7b3da3ec279e78a51c86c2d17fcce27d
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Google Maps Add-on for Splunk Enterprise

Splunk Cloud
This app has been archived. Learn more about app archiving.
This app is NOT supported by Splunk. Please read about what that means for you here.
Overview
Details
--- Check out Custom Cluster Map Visualization for a similar visualization for the latest version of Splunk ---

Google Maps for Splunk adds a geo-visualization module based on the Google Maps API and allows you to quickly plot geographical information on a map. Furthermore maps can be embedded in advanced dashboards.

Check out Custom Cluster Map Visualization for a similar visualization for the latest version of Splunk.

Licence and Terms of Use

This app is licensed under the terms of the Creative Commons license and provided as-is without any warranty. It uses thrird-party components that are licensed differently:

Using the Google Maps Search View

The App provides a flashtimeline-like view which allows you to simply enter a search and display the results on the map. In order to plot search results on the map they have to have some kind of location information attached. This location information has to be included in a field with the name _geo and has to be formatted as "<latitude>,<longitude>". Latitude and Longitude have to be expressed as floating point numbers. As an example "47.11,0.815" would be a valid _geo value. Other notations (like 47°12',...) are not supported.

In most cases you don't have to build the _geo field yourself. The built-in geolocation lookup methods (geoip command and geo lookup) are emitting this field by default. In cases where you already have geolocation information in your results, you can leverage the geonormalize command to build the _geo value for you.

Geolocation Lookup for IP addresses

Performing Gelocation Lookup on external IP addresses

External IP address values can be easily translated to locations by using the built-in geoip command or the geo lookup.

Examples:

Perform a geolocation lookup for values of the clientip field in access_combined events:
sourcetype=access_combined | geoip clientip
Same as the previous example, but also perform DNS lookups in case when the value of the clientip field is a hostname and not an IP:
sourcetype=access_combined | geoip clientip resolve_hostnames=true
Same as the first example, but using the geo lookup instead of the command
sourcetype=access_combined | lookup geo ip as clientip

Performing Gelocation Lookup on internal IP addresses

In order to perform geolocation lookup on private IP address ranges you have to implement a lookup yourself. Splunk provides multiple ways to achieve this:

  • Creating a CSV with the IP subnets and their locations and leveraging the CIDR match_type
  • Creating a scripted lookup which queries the geolocation information from an existing asset management system.

Performing combined Geolocation Lookup on IP adresses

Lookups for external and interal IP addresses can be easily combined.

Examples:
sourcetype=access_combined clientip=* | lookup geoip_internal ip as clientip | geoip clientip

sourcetype=access_combined clientip=* | lookup example_geo_internal ip as clientip | lookup geo ip as clientip OUTPUTNEW _geo geo_info

Use existing geolocation information available in search results

It's common case that events already contain geo information.

The geonormalize command

The geonormalize command can detect existing fields containing the geoinformation and normalizes them for the GoogleMaps module. For doing this the command searches for field pairs (a latitude field and a longitude field) matching a name scheme. The values of those fields are then merged and emitted as the _geo field. The following name schemes are supported:

  • *lat/*lng
  • *lat/*lon
  • *latitude/*longitude

So for example when an event has the fields gps_lat=47.11 and gps_lon=0.815 the geonormalize command will detect those fields and emit the _geo field with the value 47.11,0.815.

Example:
sourcetype=device_tracking device_id=A47C08B13 | geonormalize

Manual building the _geo field

If you don't want to use the geonormalize command or if the location fields do not match any naming scheme, you can manually build the _geo field.

Example:
eventtype=phone_activation | eval _geo=phone_loc_1+","+phone_loc_2
(Assuming that phone_loc_1 contains the latitude and phone_loc_2 contains the longitude)

Creating Dashboards with Google Maps

This add-on provides a Splunk UI module called GoogleMaps. This module can only be using in advanced XML dashboards. The usage of the module is quite similar to any built-in module in Splunk which displays results (like SimpleResultsTable, EventsViewer, etc.).

Example:

<module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="true">  
    <param name="search">sourcetype=access_combined | geoip clientip</param>  
    <param name="earliest">-24h@h</param>  
    <module name="GoogleMaps">  
        <param name="height">500px</param>  
        <param name="mapType">roadmap</param>  
        <param name="scrollwheel">off</param>  
    </module>  
</module>

All available options to the module can be found at the module reference at your Splunk instance at http://localhost:8000/modules#Splunk.Module.GoogleMaps

Release Notes

Version 1.1.3
July 4, 2013

Fixed a problem with distributed search (thanks Anirban)
Updated to latest Maxmind geolite database
Fixed setup rest endpoint

Version 1.1.2
Aug. 21, 2012

Fixed issue with chrome not loading the API when SSL is enabled

Version 1.1.1
May 29, 2012
  • Fixed some UI issues:
  • Fixed race condition when api load was loaded pretty early
  • Fixed cluster icons did not appear in some cases
  • Update to latest maxmind geolite city db
Version 1.1
May 31, 2011

Internal changes

The module now uses the _geo field instead of the _lat and _lng fields to resolve the location. The geoip and the geonormalize command are now emitting this field. It contains the combined latitude/longitude information in the form <lat>,<lng> (eg. 47.11,0.815).

Geolocation Lookup

The geolocation lookup now uses the Maxmind GeoLite City database. The geoip command is now emitting different fields:
<field>_latitude, <field>_longitude, <field>_country_name, <field>_country_code, <field>_region_name, <field>_city, and the _geo field

UI Changes

  • More configuration options for the module
  • Scrollwheel zooming is turned off by default
  • Streetview is turned off
  • Introduced opacity for cluster icons (Only in Browsers supporting native opacity).
  • Added new mapStyles (See dark view).
  • The module now persist settings like center, zoom and map style.
  • Removed fields side-panel
  • Added 2 panel to kind-of debug the results (Geo Results and Events)

Drilldown

Version 1.0.1
Aug. 31, 2010

Google Maps Version 1.0.1

  • Enhanced clustering of the results displayed on the Google Map
  • Improved performance for both the geoip and geonormalize command
  • Added a custom results header in the maps view which displays the count of results with geo information as well as the count of distinct locations

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.