Splunk Interaction Analytics

Splunk Interaction Analytics Apps

Last Updated on December 18, 2020

To say a lot has change in 2020 is an understatement.  The world we live in and work in has dramatically changed these past few months and some changes might last even longer.  But even in this unpredictable world, we still look at data to help us solve our problems. 

One new problem we have run into is the COVID-19 virus.  COVID-19 has taught us to stay six feet away from each other, wear masks, and washing our hands regularly.  But sometimes that isn’t enough or for other unknown circumstances, we still can get the COVID-19 virus.  Therefore, we need a way to figure out how to notify those that might have been in contact with someone who has contracted COVID-19.  This is where Big Data, Splunk, and the Splunk Interaction Analytics app come into the picture.

What is the Splunk Interaction Analytics App?

The Splunk Interaction Analytics app was written by members of the Splunk SLED team.  The app was designed to help determine who an infected user has been in contact with.  By using networking data, the dashboards can show the various people they may have been around during the infection period.

How does it work?

In order to help streamline the implementation of the app, the team decided to use the Network Sessions Data Model.  This allows you to mapped the appropriate data to the model in order to populate the dashboards.  Below are some of the fields of the data model that will need to be populated along with the lookups that will need to be populated as well.


dest_dnsThis field will contain the name of the AP or an identifier of the AP.  It will be used to determine if an infected user was with another user for an extended period of time.
userThis is the name of the user authenticated to the AP.
actionThis field determines when the user authenticated or deauthenticated to the AP.  This allows the app to determine the duration of when a user was on an AP with an infected user.  The two acceptable values here are authentication and deauthentication.


access_point_exclusionsList of WAP to be excluded from dashboard searches.
building_lookupList of WAP that are associated to a building with the longitude and latitude of the WAP.

Want to Know More? Contact Aditum’s Splunk Experts.

“We have a demanding development environment and Aditum has delivered top notch support.”

– Large Health Insurance Provider

Aditum’s Splunk Architects, Splunk Administrators, Splunk Developers and Information Security consultants deliver outstanding results to companies like yours every day. From initial installation to managed services, our experts can help you deliver success.

Use Cases

There are two potential use cases for this app even though there could be plenty more.

  1. Ability to find users that spent time with the infected user.  This allows you to search for a user and figure out what areas that user was in.
  • Ability to see how many users are in a given area.  You can use the heat map to determine if there are more users in one area than allowed and take action.


Though this app has a wonderful design and very intuitive dashboards, there are two gotchas in implementing this app.

  1. You need Longitude and Latitude coordinates for each WAP.  This can be a big undertaking if you have thousands of WAPs.
  2. You need authentication and deauthentication information.  In order to determine duration (which is the duration someone was on a WAP with another user), the app uses the time between authentication and deauthentication events.  Unfortunately, not all data sources have this information. 

The good news for the second gotcha is that the SLED team has already figured out this issue and can help you with that problem if you are unable to get that information.


Overall, the app can quickly help you not only find those that could have potentially been infected with COVID-19 but it can also show areas of saturation.  As the team continues to implement this app with various customers, I am sure they will continue to add more functionality to the app to make it even easier to track the spread of COVID-19.

About Aditum

Aditum’s Splunk Professional Services consultants can assist your team with best practices to optimize your Splunk deployment and get more from Splunk.

Our certified Splunk Architects and Splunk Consultants manage successful Splunk deployments, environment upgrades and scaling, dashboard, search, and report creation, and Splunk Health Checks. Aditum also has a team of accomplished Splunk Developers that focus on building Splunk apps and technical add-ons.

Contact us directly to learn more.

Mariano Romano
Latest posts by Mariano Romano (see all)
Share this Article

Please Login to Comment.