Saturday, September 4, 2010

Data Visualization

One of the most useful ways to communicate or understand information is to visualize the data. In security this is vital due to the sheer volumes of data you often have to contend with i.e. from the secviz community.

Splunk can enable you to quickly find and parse data, however you often need to send the data to something like graphviz so that I can see it.

I've written an app that adds a new search command to Splunk that will enable you to generate a graph from your search data.

* | viz field1=ip1 field2=ip2 label=proto flatten=true file=/tmp/network1.png
 * | viz field1=ip1 field2=ip2 label=proto flatten=true file=/tmp/network2.png rankdir=RL

One of the nice features is that you can add graphviz options directly to the command i.e. rankdir=RL

The app can be obtained via, comments & patches are welcome.