Crumpled paper numbers spelling '2020'

Splunk Interaction Analytics App

The way we live and work has dramatically changed. Some of the changes might become permanent.  Yet even in an unpredictable world, we still look at data to help us solve our problems. 

In order to combat COVID-19, we stay six feet away from each other, wear masks, and wash our hands regularly.  But sometimes, that isn’t enough.  We need a way to notify those that might have come into contact with someone who has contracted COVID-19.  This is where Big Data, Splunk, and the Splunk Interaction Analytics app enter the picture.

What is the Splunk Interaction Analytics App?

The Splunk Interaction Analytics app was written by members of the Splunk State, Local and Higher Education (SLED) team. It was designed to help determine who a user infected with COVID-19 has been in contact with.  By using networking data, the dashboards can show the various people they may have been around during the infection period.

How does Interaction Analytics work?

So they could streamline implementation of the app, the team decided to use the Network Sessions Data Model.  This allows you to mapped the appropriate data to the model in order to populate the dashboards.  Below are some of the fields of the data model that will need to be populated, along with the lookups that will need to be populated as well.

Fields

FieldsDescription
dest_dnsThis field will contain the name of the AP or an identifier of the AP.  It will be used to determine if an infected user was with another user for an extended period of time.
userThis is the name of the user authenticated to the AP.
actionThis field determines when the user authenticated or deauthenticated to the AP.  This allows the app to determine the duration of when a user was on an AP with an infected user.  The two acceptable values here are authentication and deauthentication.

Lookups

LookupDescription
access_point_exclusionsList of WAP to be excluded from dashboard searches.
building_lookupList of WAP that is associated with a building with the longitude and latitude of the WAP.

Use Cases

There are two potential use cases for this app, even though there could be plenty more.

  1. Ability to find users that spent time with the infected user.  This allows you to search for a user and figure out what areas that user was in.
Splunk interaction analytics dashboard
  • Ability to see how many users are in a given area.  You can use the heat map to determine if there are more users in one area than allowed and take action.
Splunk interaction analytics campus map dashboard

Gotchas

Though this app has a wonderful design and very intuitive dashboards, there are two gotchas in implementing this app.

  1. You need Longitude and Latitude coordinates for each WAP.  This can be a big undertaking if you have thousands of WAPs.
  2. You need authentication and deauthentication information.  In order to determine duration (which is the duration someone was on a WAP with another user), the app uses the time between authentication and deauthentication events.  Unfortunately, not all data sources have this information. 

The good news for the second gotcha is that the SLED team has already figured out this issue and can help you with that problem if you are unable to get that information.

Interaction Analytics: Conclusion

Overall, the app can quickly help you not only find those that could have potentially been infected with COVID-19, but it can also show areas of saturation.  As the team continues to implement this app with various customers, I am sure they will continue to add more functionality to the app to make it even easier to track the spread of COVID-19.

About SP6

SP6 is a Splunk consulting firm focused on Splunk professional services including Splunk deployment, ongoing Splunk administration, and Splunk development. SP6 has a separate division that also offers Splunk recruitment and the placement of Splunk professionals into direct-hire (FTE) roles for those companies that may require assistance with acquiring their own full-time staff, given the challenge that currently exists in the market today.