Splunk is a great tool for digging into data and presenting the results. Sometimes, you just want a status board of results that comes to you without having to log into a web application. A wonderful app for this is the iPad app statusboard by Panic software.
You always could create a panel on your statusboard that links to a URL of a file for presentation. However, this means your data is not protected by authentication. Panic added Dropbox support so you can now make a panel that pulls from a csv or json file. You can also airplay to an AppleTV or direct connect the iPad to a TV to present the dashboard on a large display.
In this post I will cover how I combined a Splunk alert script in python, dropbox and statusboard to get the result below. I am displaying the number of failed login attempts against my wordpress blog by country code for the previous 7 days. Keep in mind this is a Splunk instance running on my laptop with minimally sensitive information. I would never run dropbox directly on a work related production Splunk server. An alternative method would be to run a scheduled script that pulls the results out of Splunk via the REST api and write it out to a csv in the dropbox folder. I will do that version of this post in the future.
Setting up the search
First we have to pick the search that gives the results we want in a small manageable table format. Keep in mind the presentation options on statusboard are limited by perfect for showing certain things. That means you need to keep column names and values short. This is why I did not stick with country names, it would make it hard to follow the chart if the column name was too long.
In my case I have all the apache logs tagged as “web” when I bring them into splunk. I then look for a POST where the url ended with the WordPress login php file. I did this to ignore scrapers that saw the link but did not try and post to it.
I renamed the columns because you can see in the earlier graphic that statusboard uses the column names in a csv to title the panel. You can tell from the screenshot I changed the column name in the search as I was testing. We can get more flexible graphing features in the future if we make the results in json format instead of csv. We stuck with csv for simplicity.
tag=web uri_path=*wp-login.php method=POST | iplocation clientip | top CountryCode | sort CountryCode | rename CountryCode AS Country | rename count AS WordPress_Logon_Attempts
Once you have the results the way you want in Splunk save it as an alert. You can chose a schedule that works for your particular data type. In my case I chose daily at midnight with earliest=-7d@d latest=now. Make sure you specify the alert script name. In this example I used “statusboard-wp-logins.py”
The alert script – statusboard-wp-logins.py
Here is the python script. It has to be saved in your $SPLUNK_HOME/bin/scripts location.
We are assuming this is Splunk on a machine where dropbox is running. Sure this acceptable for personal or development. In production you will need to work out another way to get the file this script creates to a machine with dropbox.
1. You will need to change the outputFile path to a similar location in your Dropbox on your system. You will likely want to create a subfolder under dropbox to keep these files grouped. You can see I made one called “graphs.”
2. We had to set the umask so the file permissions are readable by your regular user account. Otherwise, your dropbox app will not be able to sync the file up to dropbox due to lack of read permissions.
if __name__ == "__main__":
# Obtain the path to the alert events compressed file
alertEventsFile = os.environ['SPLUNK_ARG_8']
# Open the csv in our Dropbox folder that StatusBoard will monitor and graph
# We have to set the umask to ensure our user account can read the files
outputFile = "/Users/georgestarcher/Dropbox/graphs/web-login-attempts.csv"
graphFile = open(outputFile, 'w')
# Handle to the csv contents of the alerts events compressed file
eventContents = csv.reader(gzip.open(alertEventsFile, 'rb'))
# Format the csv results for statusboard
for line in eventContents:
message = line+","+line+"\r\n"
# Add the lines to tell statusboard to make a totals column and make the color for the graph red
You will need to have the statusboard app installed on your iPad and give it permissions to your dropbox account.
Just add a graph panel and browse to the csv in the graphs subfolder in your dropbox folder.
That is all there is to it. You are only limited by how you form your search in Splunk and how often you schedule it to output the results. Enjoy!