Dashboards & Visualizations

How to join multiple sources to build a network path

New Member

Hi all,
I have the following dataset:

Source A: "DEVICE INFO"
Source B: "SOURCE" (maps to SourceA DEVICE),"SOURCEPORTS",DESTINATION, DESTINATIONPORTS
Source C: "SOURCE" (which is the DESTINATION of Source B) etc..

Basically I'm trying to dynamically build a network path between multiple devices (and from multiple sources), the ultimate goal will be a network topology (probably with sankey but doesn't matter right now)

As example:

SourceA

    | makeresults | eval sourcetype = "A" | eval Device = "Device_XYZ" | eval Model = "Vendor"

SourceB

    | append [| makeresults | eval sourcetype = "B" | eval Source = "Device_XYZ" | eval SourcePorts = "123456" | eval Destination = "Device_QWE" | eval DestinationPorts = "AAABBBB"] 
    | append [| makeresults | eval sourcetype = "B" | eval Source = "Device_XYZ" | eval SourcePorts = "789000" | eval Destination = "Device_QWE" | eval DestinationPorts = "CCCDDDD"] 

SourceC

| append [| makeresults | eval sourcetype = "C" | eval Source = "Device_QWE" | eval SourcePorts = "AAABBBB" | eval Destination = "Device_MNB" | eval DestinationPorts = "QQQWWW"] 
| append [| makeresults | eval sourcetype = "C" | eval Source = "Device_QWE" | eval SourcePorts = "CCCDDDD" | eval Destination = "Device_MNB" | eval DestinationPorts = "QQQWWW"]

Any idea on how to approach is welcome, ty guys for your time

PaoloR

0 Karma

New Member

@urana
Thank you but that approach doesn't work (or I wasn't able to make it works); I've ended doing a map command from A & B sources and the a join with the C source. I try to avoid join as much as possible but the devices aren't billions and the performances are more than acceptable.

@woodcock
I was playing with Business flow a few weeks ago in the Splunk Oxygen, may worths another look, ty.
The topology apps are all great and I already use them; the issue with this use case is the tons of variables to be handled

Basically I have (just as example):
- Switch 1 connected to Switch 2 with 4 ports; each link has is own metrics/info
- Switch 2 connected to Switch 3 with 8 ports; again, each link with is own info

I tried with multivalues and succesfully build a single line, multivalue topology across all devices/link. Right now I'm stuck on splitting multivalues fields because of they have uneven elements; the "standard" mvjoin/split/rex works well when you have same number of events in each multivalue but that's not my case 😞

Anyway, ty all for your time
PaoloR

0 Karma

Esteemed Legend

You really need to look at Business Flow:
https://www.splunk.com/en_us/software/business-analytics-and-process-mining.html

You might also check out some mod-viz on Splunkbase:
Force Directed App: https://splunkbase.splunk.com/app/3767/
Graph Viz: https://splunkbase.splunk.com/app/4346/
AfterGlow: https://splunkbase.splunk.com/app/277/

0 Karma

Engager

You could try multisearch, something like this

|multisearch

[ search Source A
| search search query
| fields all fields you want from that search]

[ search Source B
| search search query
| fields all fields you want from that search]

[ search Source C
| search search query
| fields all fields you want from that search]

| eval Source A=if(like(field A),"field B",field C)

For example I use it for Potential Malicious User agents:

| multisearch

[ search (index=proxy) "script"
| search httpuseragent="script"
| fields time, httpuseragent, srcip, url]

[ search (index=proxy OR sourcetype=f5) "Iceweasel"
| search httpuseragent="
Iceweasel*"
| fields time, httpuseragent, srcip, url]

[ search (index=proxy OR sourcetype=f5) "Meterpreter/Windows"
| search httpuseragent="
Meterpreter/Windows"
| fields time, httpuseragent, srcip, url]

[ search (index=proxy OR sourcetype=f5) "Mozilla/5.00 (Nikto/"
| search httpuseragent="Mozilla/5.00 (Nikto/
"
| fields time, httpuseragent, srcip, url]

[ search (index=proxy OR sourcetype=f5) "dirb"
| search httpuseragent="
dirb*"
| fields time, httpuseragent, srcip, url]

[ search (index=proxy OR sourcetype=f5) "WinHttp.WinHttpRequest"
| search httpuseragent="
Win32; WinHttp.WinHttpRequest*"
| fields time, httpuseragent, srcip, url]

| eval suspectissue=if(like(httpuseragent,"%script%"),"Cross Site Scripting",suspectissue)
| eval suspectissue=if(like(httpuseragent,"%Iceweasel%"),"Kali",suspectissue)
| eval suspectissue=if(like(httpuseragent,"%Meterpreter%"),"Meterpreter",suspectissue)
| eval suspectissue=if(like(httpuseragent,"%(Nikto/%"),"Nikto Scanning",suspectissue)
| eval suspectissue=if(like(httpuseragent,"%dirb%"),"DirbScanning",suspectissue)
| eval suspectissue=if(like(httpuseragent,"%WinHttp.WinHttpRequest%"),"WScript",suspectissue)
| stats latest(time) AS Latest, values(url) as url by httpuseragent, suspectissue, src_ip

0 Karma