Enhancing Splunk Visualizations with Mapbox

Anthony G. Tellez3 min read
SplunkVisualizationMapboxGeoVizSecurity

Enhance the out-of-the-box visualizations provided by Splunk for cluster map visualizations by integrating with the Mapbox API.

While it has been possible to add custom tiles to cluster map visualizations in Splunk, the options were limited. This blog shows you how to integrate with the Mapbox API to use included styles or custom maps.

Requirements

Required:

  • MapBox account & API key
  • Internet access for your Splunk instance
  • Geographical data in Splunk

Optional:

Add Latitude and Longitude Coordinates

To use any geographic visualization in Splunk, you need data with latitude and longitude coordinates. External network traffic is a great data source.

Example: Suricata Netflow Data

This search takes Netflow events from an IPS running Suricata and uses iplocation to create lat/lon fields:

index=suricata event_type=flow
| iplocation src prefix=start_
| iplocation dest prefix=end_

The prefix tracks data flow (start/end points). See iplocation command docs for more info.

Format Data for Missile Map

The Missile Map expects specific data format:

Missile Map Example

Create a Table

Use a short-duration real-time search covering the last 5 minutes:

index=suricata event_type=flow
| iplocation src prefix=start_
| iplocation dest prefix=end_
| search start_Country="*" end_Country="*"
| table start_lat start_lon end_lat end_lon app

Enable Animation and Pulse

| table start_lat start_lon end_lat end_lon app
| eval animate="yes", pulse_at_start="yes"

Add Color Coding by Protocol

Using eval with case statements (colors from flatuicolors.com):

| eval animate="yes", pulse_at_start="yes"
| eval color = case (
    match(app, "ssh"), "#c0392b",
    match(app, "dns"), "#e67e22",
    match(app, "tls"), "#f1c40f",
    match(app, "http"), "#27ae60",
    match(app, "dcerpc"), "#2980b9",
    1==1, "#7f8c8d")

Table for Missile Map

Configure Mapbox Integration

Select the Visualization tab → Missile Map → Format:

Configure Missile Map

API Token

Create an access token: Mapbox API Access Token Guide

MapBox Style URL

Two options available:

  1. Custom map you've created
  2. Free Mapbox styles (with valid API token)

Free style options:

mapbox://styles/mapbox/streets-v9
mapbox://styles/mapbox/outdoors-v9
mapbox://styles/mapbox/light-v9
mapbox://styles/mapbox/dark-v9
mapbox://styles/mapbox/satellite-v9
mapbox://styles/mapbox/satellite-streets-v9

Tile URL Format

From Mapbox API docs:

/v4/{map_id}/{z}/{x}/{y}{@2x}.{format}

Final syntax for Splunk:

https://api.mapbox.com/v4/mapbox.streets/{z}/{x}/{y}@2x.png?access_token=your-access-token

Results

Configured Missile Map

Mapbox Missile Map Result

Conclusion

You can now improve geographical visualizations with Mapbox. Customers can leverage custom styles to personalize tilesets and add additional context to their data.

DefCon1 Animation

This integration provides powerful geographical context for security monitoring and threat visualization.

← Back to Blog