Solved: Re: Create a multi-level sankey using IPs and Port...

j4adam · ‎08-25-2016

Hello all,

I'm attempting to make a multi-level sankey visualization mapping src_ip to dest_ip and then dest_ip to dest_port. The high level is that I'm looking for a visualization to see who's connecting to what and on which port. Sankey is ideal because you can quickly see if multiple soruces are connecting to the same IP and port.

I can get the src_ip to dest_ip line, but the problem I'm having is branching from there to another level for the ports. Currently the port is just displayed when moused over. I'm feeding it with a four column table currently:

| stats count by src_ip, dest_ip, dest_port | table src_ip, dest_ip, count, dest_port

sundareshr · ‎08-25-2016

You may have to "append" as source/dest. Something like this may work (haven't tried it, but you could)

*UPDATED*

 index=_internal sourcetype=*web_access | stats count by uri status | rename uri AS from status AS to | append [ search index=_internal sourcetype=*web_access | stats count by status referer | rename status AS from referer AS to ]

View solution in original post

sundareshr · ‎08-25-2016

You may have to "append" as source/dest. Something like this may work (haven't tried it, but you could)

*UPDATED*

 index=_internal sourcetype=*web_access | stats count by uri status | rename uri AS from status AS to | append [ search index=_internal sourcetype=*web_access | stats count by status referer | rename status AS from referer AS to ]

uhkc777 · ‎08-25-2016

No it's not working too

sundareshr · ‎08-25-2016

Here is a run-anywhere sample, try this

index=_internal sourcetype=*web_access | stats count by uri status | rename uri AS from status AS to | append [ search index=_internal sourcetype=*web_access | stats count by status referer | rename status AS from referer AS to ]

j4adam · ‎08-26-2016

That does make a multi-level sankey but it's so dense can I cant make it out. I'll try to reverse engineer the search with my data and see what I get, thanks!

j4adam · ‎08-26-2016

Holy cow, that did it! I'm really unsure what the "rename uri AS from status AS to" and "rename status AS from referer AS to" are doing, but it's exactly what I was looking for!

If you want to answer again or edit your original, I'd love to accept it! If you wanted to explain what that did, I wouldn't mind either 🙂

Edit: Oh, I get the renaming now.

sundareshr · ‎08-26-2016

Sankey only accepts one source (from) and one target (to). So what this query does, is it tricks sankey to think the status is the "TO" when source or "FROM" is uri and status is the "FROM" when referer is the "TO" creating a 3 level chart uri --> status --> referer You can do this to create as many levels as needed. Just keep appending events where the TO of the previous group is the FROM for the next group.

Hope this helps.

sundareshr · ‎09-21-2016

@j4adam please mark this question as accepted to close it out.

sundareshr · ‎08-25-2016

How about this

... | eval dest=dest_ip."#".dest_port | stats count by src_ip dest

j4adam · ‎08-25-2016

That's definitely an interesting approach I didn't think of, appending the port to the destination IP, but I was hoping to get the second layer of the sankey if that was possible. I will be using this until I figure out how to do it the way I intend, though!

sundareshr · ‎08-25-2016

sankey only accepts one source and one target.

http://docs.splunk.com/Documentation/CustomViz/1.0.0/Sankey/SankeySearchDataFormat

j4adam · ‎08-25-2016

I'm trying to emulate something like see at this 2014 .conf presentation:

http://image.slidesharecdn.com/conf2014tlagattaodegarriguessplunkbusinessanalytics-150625201528-lva1...

Create a multi-level sankey using IPs and Ports

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?