Use Splunk to show your active netstat connections, geographically

July 5, 2013 – 9:40 PM

I was geeking out a bit tonight thinking about a friend’s situation and thought that I could probably do something useful in Splunk that might be helpful to others.  Sure enough, a few minutes later and I am viewing all my active netstat connections geographically as they are established:

 

Once the shell script is enabled, download the Google Maps app and setup the final query.  Using multikv was not enough for what I wanted to view (the output included the ports) so I used rex with this data extraction: (?<ipaddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) and piped it into geomap.  Voila.