Splunk Search

How to collect events that form part of a common tree

bowesmana
SplunkTrust
SplunkTrust

I have a large NodeRED JSON flows.json file that I'm ingesting into Splunk. In that file there are one or more 'flows', which are made up of a sequence of 'nodes'.

Each NodeRED 'node' is a JSON snippet and I have configured Splunk to ingest these as separate events. In basic form, they look like this

 

{
    "id": "2e88d163.b8d20e",
    "type": "evaluator",
    "z": "430b6531.d34c7c",
    "name": "",
    "x": 870,
    "y": 300,
    "wires": [
        [
            "c53c6260.e6a06"
        ]
    ]
}

 

where x/y/z are UI related attributes, but ID, type and wires are key to the flow sequence. A node can be connected to any number of other nodes via the 'wires', where the id references the id of another node.

As a bit of an exercise I started to wonder if it was possible to 'transaction' all the nodes involved in a single flow so that all the node objects could then be visualised either in a simple table or a sequence diagram. 

The challenge seems to be that there is no common attribute to join all the nodes together. There can be any number of wires in the array, indicating different paths in the flow and the flow can have as many nodes as it likes.

In my case, it always starts with a particular 'type' and ends with another 'type', so I know when the flow starts and ends.

I did think of putting all this data to a lookup, but I still am not sure if it's possible to collect all nodes in a flow as it seems as though I would need to have an unknown number of passes through the data to fill in the wire connections.

Can anyone think how this could be done?

 

Labels (5)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...