I wanted to utilise splunk even more (or same) as Edd in https://www.splunk.com/blog/2013/10/22/go-splunk-yourself.html
First signup for a tracking solution failed.
Looking into the Apple Store, i found followmee.com and I signed up for an account. Followmee.com has a complete mapping (Tracking) solution, so I could just have stopped it there, but the focus was splunk.
The only interesting App setting on the iPhone is the tracking state and how often the App tracks, read http://followmee.com/Howto.aspx?t=howtoconfigureiphone
Tracking Power
It specifies how aggressively the app will track. The default setting is medium, which gives you a new location update every 5 to 10 minutes. If you want more frequent update, choose the high setting, which updates every 1 to 2 minutes.
Getting data out
Next, the data can be extracted to XLS og CVS, but this was to manual, I wanted to utilize and automate, so I signed up for APIservices, which has 2 primary functions:
Past hours history for a device
Past give a json like:
{"Data":[{"Date":"2017-12-03T15:26:14+01:00","Latitude":57.01060,"Longitude":10.03402,"Type":"GPS","Speed(mph)":null,"Speed(km/h)":null,"Altitude(ft)":16,"Altitude(m)":5,"Accuracy":124},{"Date":"2017-12-03T15:53:52+01:00","Latitude":57.01172,"Longitude":10.04380,"Type":"GPS","Speed(mph)":null,"Speed(km/h)":null,"Altitude(ft)":0,"Altitude(m)":0,"Accuracy":165},{"Date":"2017-12-03T15:57:05+01:00","Latitude":57.01323,"Longitude":10.04936,"Type":"GPS","Speed(mph)":null,"Speed(km/h)":null,"Altitude(ft)":6,"Altitude(m)":2,"Accuracy":165},{"Date":"2017-12-03T16:03:25+01:00","Latitude":57.01406,"Longitude":10.04982,"Type":"GPS","Speed(mph)":null,"Speed(km/h)":null,"Altitude(ft)":3,"Altitude(m)":1,"Accuracy":65},{"Date":"2017-12-03T16:05:50+01:00","Latitude":57.01049,"Longitude":10.03452,"Type":"GPS","Speed(mph)":null,"Speed(km/h)":null,"Altitude(ft)":16,"Altitude(m)":5,"Accuracy":67},{"Date":"2017-12-03T16:15:17+01:00","Latitude":57.01063,"Longitude":10.03377,"Type":"GPS","Speed(mph)":null,"Speed(km/h)":null,"Altitude(ft)":19,"Altitude(m)":6,"Accuracy":65},{"Date":"2017-12- ... ... 08T18:20:06+01:00","Latitude":57.01431,"Longitude":10.03389,"Type":"GPS","Speed(mph)":38,"Speed(km/h)":61,"Altitude(ft)":36,"Altitude(m)":11,"Accuracy":10},{"Date":"2017-12-08T18:21:58+01:00","Latitude":57.01034,"Longitude":10.03387,"Type":"GPS","Speed(mph)":4,"Speed(km/h)":6,"Altitude(ft)":29,"Altitude(m)":9,"Accuracy":5}]}
Current location for a device
Current gives a json like
{"Data":[{"DeviceName":"Normann P.'s iPhone","DeviceID":"11787783","Date":"2017-12-08T18:21:58+01:00","Latitude":57.01034,"Longitude":10.03387,"Type":"GPS","Speed(mph)":4,"Speed(km/h)":6,"Altitude(ft)":29,"Altitude(m)":9,"Accuracy":5}]}
In splunk, its a bit hard to split multivalue json into events, and since this is a POC and I font care that much for history, I will go for the current location...
Getting data in
To get data in splunk, several approaches can be made - and typicalli I would choose a script to pull data from the API to a file to be parsed, but this time I wanted to play with getting the json in splunk the simplest way, so I installed the REST API Modular Input Add On, even thought its pretty old. The Add On adds an input possibility:
So, after adding a new index for the data, and getting the API Key from the followmee.com website, we add an input:
And sourcetype and index: