All Apps and Add-ons

Create a multi-level sankey using IPs and Ports

Communicator

Hello all,

I'm attempting to make a multi-level sankey visualization mapping src_ip to dest_ip and then dest_ip to dest_port. The high level is that I'm looking for a visualization to see who's connecting to what and on which port. Sankey is ideal because you can quickly see if multiple soruces are connecting to the same IP and port.

I can get the src_ip to dest_ip line, but the problem I'm having is branching from there to another level for the ports. Currently the port is just displayed when moused over. I'm feeding it with a four column table currently:

| stats count by src_ip, dest_ip, dest_port | table src_ip, dest_ip, count, dest_port

1 Solution

Legend

You may have to "append" as source/dest. Something like this may work (haven't tried it, but you could)

*UPDATED*

 index=_internal sourcetype=*web_access | stats count by uri status | rename uri AS from status AS to | append [ search index=_internal sourcetype=*web_access | stats count by status referer | rename status AS from referer AS to ]

View solution in original post

Legend

You may have to "append" as source/dest. Something like this may work (haven't tried it, but you could)

*UPDATED*

 index=_internal sourcetype=*web_access | stats count by uri status | rename uri AS from status AS to | append [ search index=_internal sourcetype=*web_access | stats count by status referer | rename status AS from referer AS to ]

View solution in original post

Explorer

No it's not working too

0 Karma

Legend

Here is a run-anywhere sample, try this

index=_internal sourcetype=*web_access | stats count by uri status | rename uri AS from status AS to | append [ search index=_internal sourcetype=*web_access | stats count by status referer | rename status AS from referer AS to ]

Communicator

That does make a multi-level sankey but it's so dense can I cant make it out. I'll try to reverse engineer the search with my data and see what I get, thanks!

0 Karma

Communicator

Holy cow, that did it! I'm really unsure what the "rename uri AS from status AS to" and "rename status AS from referer AS to" are doing, but it's exactly what I was looking for!

If you want to answer again or edit your original, I'd love to accept it! If you wanted to explain what that did, I wouldn't mind either 🙂

Edit: Oh, I get the renaming now.

0 Karma

Legend

Sankey only accepts one source (from) and one target (to). So what this query does, is it tricks sankey to think the status is the "TO" when source or "FROM" is uri and status is the "FROM" when referer is the "TO" creating a 3 level chart uri --> status --> referer You can do this to create as many levels as needed. Just keep appending events where the TO of the previous group is the FROM for the next group.

Hope this helps.

0 Karma

Legend

@j4adam please mark this question as accepted to close it out.

0 Karma

Legend

How about this

... | eval dest=dest_ip."#".dest_port | stats count by src_ip dest

Communicator

That's definitely an interesting approach I didn't think of, appending the port to the destination IP, but I was hoping to get the second layer of the sankey if that was possible. I will be using this until I figure out how to do it the way I intend, though!

0 Karma

Legend
0 Karma

Communicator

I'm trying to emulate something like see at this 2014 .conf presentation:

http://image.slidesharecdn.com/conf2014tlagattaodegarriguessplunkbusinessanalytics-150625201528-lva1...

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!