Add Google Map on Splunk Dashboard

Once you create a Splunk dashboard by using GoogleMap, you may meet some problem if you are beginner about the GoogleMap like me.

1. Create Dashboard

It may be easy to create a dashboard on Splunk web normally.

2. Convert the simpleXML to advancedXML

To add a Google map on the new dashboard, you need to convert from simpleXML to advancedXML. First, you can get the advancedXML from a URL

http://localhost:8000/en-US/app/search/{dashboard_name}?showsource=advanced

Once you connect the URL above, you can see a page like this below. If so, copy the advancedXML to notepad in order to add a GoogleMap.

3. Add Google Map

Here is a sample GoogleMap module. After change the red and Italic style font to adjust on your site, add it on the advancedXML.

<module name=”HiddenSearch” group=”Map View” layoutPanel=”panel_row3_col1” autoRun=”true”>
<param name=”search”>{query_string}</param>
<param name=”earliest”>-8h@h</param>
<module name=”GoogleMaps”>
<param name=”height”>500px</param>
<param name=”drilldown_field”>addr</param>
<param name=”mapType”>terrain</param>
<param name=”scrollwheel”>off</param>
<param name=”zoomLevel”>2</param>
<param name=”center”>30.580607, 6.111675</param>
</module>
</module>

4. Save

Go to [Splunk> Manager >> User interface >> Views] on your Splunk web. After open a dashboard made at #1, replace it all to the modified advancedXML. Finally, click the save button. Now browse the board, you can see the GoogleMap.

Splunk Visual Basic Script

I made a script by using VB script as below. This script is forcing to show how to get the Splunk Parameters. Once you try to get the parameter by using “Wscript.Arguments”, you get wrong value because it separate the parameters based on space or tab. Here is a list of the Splunk parameters

• SPLUNK_ARG_0 Script name
• SPLUNK_ARG_1 Number of events returned
• SPLUNK_ARG_2 Search terms
• SPLUNK_ARG_3 Fully qualified query string
• SPLUNK_ARG_4 Name of saved search
• SPLUNK_ARG_5 Trigger reason (for example, “The number of events was greater than 1”)
• SPLUNK_ARG_6 Browser URL to view the saved search
• SPLUNK_ARG_8 File in which the results for this search are stored (contains raw results)

Ref) http://docs.splunk.com/Documentation/Splunk/5.0.2/alert/ConfiguringScriptedAlerts

On Error Resume Next
Err.Clear

Function GetNow()
t = Timer
temp = Int(t)
Miliseconds = Int((t-temp) * 1000)
Seconds = temp mod 60
temp = Int(temp/60)
Minutes = temp mod 60
Hours = Int(temp/60)
strTime = String(2 – Len(Hours), "0") & Hours & ":"
strTime = strTime & String(2 – Len(Minutes), "0") & Minutes & ":"
strTime = strTime & String(2 – Len(Seconds), "0") & Seconds & "."
strTime = strTime & String(4 – Len(Miliseconds), "0") & Miliseconds
GetNow = FormatDateTime(Date, 2) &" "& strTime
End Function

Const ForReading = 1, ForWriting = 2, ForAppending = 8
Dim objFSO, objLog
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objLog = objFSO.OpenTextFile("D:\log\splunk_script" & GetNow() & ".log", ForAppending, True)

<span style="color: #ff0000;"><em>Set oShell = CreateObject( "WScript.Shell" ) </em></span>
<span style="color: #ff0000;"><em>user = oShell.ExpandEnvironmentStrings("%UserName%") </em></span>
<span style="color: #ff0000;"><em>arg4 = oShell.ExpandEnvironmentStrings("%SPLUNK_ARG_4%") </em></span>
<span style="color: #ff0000;"><em>arg6 = oShell.ExpandEnvironmentStrings("%SPLUNK_ARG_6%")</em></span>

if Wscript.Arguments.Count > 5 then
Dim objSell
Dim strContent

strContent = "["&arg4&"] "& arg6

Set objShell = Wscript.CreateObject("WScript.Shell")
objShell.Run """C:\Program Files\Splunk\bin\scripts\sms.vbs"" """ & strContent & """"
Set objShell = Nothing
end if

if Err.Number <> 0 then
‘ An exception occurred
objLog.WriteLine "Exception:" & vbCrLf &_
" Error number: " & Err.Number & vbCrLf &_
" Error description: ‘" & Err.Description & "’" & vbCrLf
end if

objLog.Close
Set objLog = Nothing
Set objFSO = Nothing