Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to join multiple sources to build a network path

PaoloR84
New Member
‎10-11-2019 10:15 AM

Hi all,
I have the following dataset:

Source A: "DEVICE INFO"
Source B: "SOURCE" (maps to SourceA DEVICE),"SOURCE_PORTS",DESTINATION, DESTINATION_PORTS
Source C: "SOURCE" (which is the DESTINATION of Source B) etc..

Basically I'm trying to dynamically build a network path between multiple devices (and from multiple sources), the ultimate goal will be a network topology (probably with sankey but doesn't matter right now)

As example:

SourceA

    | makeresults | eval sourcetype = "A" | eval Device = "Device_XYZ" | eval Model = "Vendor"

SourceB

    | append [| makeresults | eval sourcetype = "B" | eval Source = "Device_XYZ" | eval SourcePorts = "123456" | eval Destination = "Device_QWE" | eval DestinationPorts = "AAABBBB"] 
    | append [| makeresults | eval sourcetype = "B" | eval Source = "Device_XYZ" | eval SourcePorts = "789000" | eval Destination = "Device_QWE" | eval DestinationPorts = "CCCDDDD"]

SourceC

| append [| makeresults | eval sourcetype = "C" | eval Source = "Device_QWE" | eval SourcePorts = "AAABBBB" | eval Destination = "Device_MNB" | eval DestinationPorts = "QQQWWW"] 
| append [| makeresults | eval sourcetype = "C" | eval Source = "Device_QWE" | eval SourcePorts = "CCCDDDD" | eval Destination = "Device_MNB" | eval DestinationPorts = "QQQWWW"]

Any idea on how to approach is welcome, ty guys for your time

PaoloR

0 Karma
Reply

PaoloR84
New Member
‎10-13-2019 02:34 AM

@urana
Thank you but that approach doesn't work (or I wasn't able to make it works); I've ended doing a map command from A & B sources and the a join with the C source. I try to avoid join as much as possible but the devices aren't billions and the performances are more than acceptable.

@woodcock
I was playing with Business flow a few weeks ago in the Splunk Oxygen, may worths another look, ty.
The topology apps are all great and I already use them; the issue with this use case is the tons of variables to be handled

Basically I have (just as example):
- Switch 1 connected to Switch 2 with 4 ports; each link has is own metrics/info
- Switch 2 connected to Switch 3 with 8 ports; again, each link with is own info

I tried with multivalues and succesfully build a single line, multivalue topology across all devices/link. Right now I'm stuck on splitting multivalues fields because of they have uneven elements; the "standard" mvjoin/split/rex works well when you have same number of events in each multivalue but that's not my case 😞

Anyway, ty all for your time
PaoloR

0 Karma
Reply

woodcock
Esteemed Legend
‎10-12-2019 11:21 PM

You really need to look at Business Flow:
https://www.splunk.com/en_us/software/business-analytics-and-process-mining.html

You might also check out some mod-viz on Splunkbase:
Force Directed App: https://splunkbase.splunk.com/app/3767/
Graph Viz: https://splunkbase.splunk.com/app/4346/
AfterGlow: https://splunkbase.splunk.com/app/277/

0 Karma
Reply

urana
Engager
‎10-11-2019 11:01 AM

You could try multisearch, something like this

|multisearch

[ search Source A
| search search query
| fields all fields you want from that search]

[ search Source B
| search search query
| fields all fields you want from that search]

[ search Source C
| search search query
| fields all fields you want from that search]

| eval Source A=if(like(field A),"field B",field C)

For example I use it for Potential Malicious User agents:

| multisearch

[ search (index=proxy) "script"
| search http_user_agent="script"
| fields _time, http_user_agent, src_ip, url]

[ search (index=proxy OR sourcetype=f5*) "Iceweasel"
| search http_user_agent="Iceweasel"
| fields _time, http_user_agent, src_ip, url]

[ search (index=proxy OR sourcetype=f5*) "Meterpreter/Windows"
| search http_user_agent="*Meterpreter/Windows"
| fields _time, http_user_agent, src_ip, url]

[ search (index=proxy OR sourcetype=f5*) "Mozilla/5.00 (Nikto/"
| search http_user_agent="Mozilla/5.00 (Nikto/*"
| fields _time, http_user_agent, src_ip, url]

[ search (index=proxy OR sourcetype=f5*) "dirb"
| search http_user_agent="dirb"
| fields _time, http_user_agent, src_ip, url]

[ search (index=proxy OR sourcetype=f5*) "WinHttp.WinHttpRequest"
| search http_user_agent="Win32; WinHttp.WinHttpRequest"
| fields _time, http_user_agent, src_ip, url]

| eval suspect_issue=if(like(http_user_agent,"%script%"),"Cross Site Scripting",suspect_issue)
| eval suspect_issue=if(like(http_user_agent,"%Iceweasel%"),"Kali",suspect_issue)
| eval suspect_issue=if(like(http_user_agent,"%Meterpreter%"),"Meterpreter",suspect_issue)
| eval suspect_issue=if(like(http_user_agent,"%(Nikto/%"),"Nikto Scanning",suspect_issue)
| eval suspect_issue=if(like(http_user_agent,"%dirb%"),"DirbScanning",suspect_issue)
| eval suspect_issue=if(like(http_user_agent,"%WinHttp.WinHttpRequest%"),"WScript",suspect_issue)
| stats latest(_time) AS Latest, values(url) as url by http_user_agent, suspect_issue, src_ip

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...