By Splunk March 26, 2012
Psstt … Is geolocation ready in the latest release of the Splunk for Facebook app? Yes! To those who have been following the progress of this app and curious to know if the idea mentioned (geolocating activities in Facebook and visualizing them) in the previous post Splunk for Facebook – event updates with geolocation is implemented and how it is implemented, this is how it looks like.
Short story: Activities with geo-coordinates (latitude and longitude) will be marked on the map. Individual marker will pop up as the cursor is moved around the correlated individual result in the results section.
Long story: Quite technical but the steps will be described as terse and as simple as possible
[1] The “smart” of the app
A search function is implemented with Splunk REST API and called by the controller. Essentially the controller is very useful to act as a medium between splunkd and seplunkweb. In this context of the Model-View-Controller (MVC) design pattern, splunkd is the Model while splunkweb is the View and the controller is simply a dispatcher to perform some tasks when a certain URI is hit. Since the stream table in the FQL does not contain the attributes latitude and longitude of user activities, a search command has to be constructed to correlate with the location_post table (which contains the geo-coordinates as attributes of the table). The search command looks like such:
index=facebook sourcetype="facebook_stream_table" stream_source_id="*" | dedup stream_post_id | join type=outer stream_source_id [search index=facebook sourcetype="facebook_location_post_table" | fields - location_post_tagged_uids_* | dedup location_post_id, location_post_author_uid | eval stream_source_id=location_post_author_uid | eval loc_post_type=case(location_post_type="photo", "Photo posted", location_post_type="video", "Video posted", location_post_type="status", "Status update", location_post_type="checkin", "Recent checkin") ] | table stream_created_time location_post_coords_longitude location_post_coords_latitude stream_permalink stream_source_id stream_message stream_attribution loc_post_type stream_attachment_media_0_src stream_attachment_media_0_alt stream_attachment_media_0_alt | sort - stream_created_time
The search command may look lengthy and complicated but it’s actually much shortened if the eval loc_post_type and the fields for the table command are wildcarded by using * command is removed.
index=facebook sourcetype="facebook_stream_table" stream_source_id="*" | dedup stream_post_id | join type=outer stream_source_id [search index=facebook sourcetype="facebook_location_post_table" | fields - location_post_tagged_uids_* | dedup location_post_id, location_post_author_uid | eval stream_source_id=location_post_author_uid | table stream* location* | sort - stream_created_time
[2] Rendering search results
Server-side Include (SSI) is used in one of the panels in the dashboard to render user activities and Leaflet map. That particular HTML page talks to the controller’s URI endpoint to retrieve the search results in JSON format. This is the Splunk REST API endpoint that is used by the search module in the controller:
'/services/search/jobs/<search_id>/results?output_mode=json&count=0
jQuery is then used to do all the UI magic (popups, dynamic creation and deletion of divs, etc) while Leaflet is used to geographically visualize the origin of the posts submitted.
[3] Takeaway
There are certainly many interesting ways to visualize the plethora of information garnered from the Facebook API and nevertheless each one of them represent a unique and exciting problem to solve. Download the latest release of the app here in SplunkBase! http://splunk-base.splunk.com/apps/splunk+for+facebook.Feedback and comments are very much appreciated.
Till next time … Happy Splunking!
----------------------------------------------------
Thanks!
Nicholas Key