Splunk Search

Recursive query with unlimited depth

jg91
Path Finder

Hello,

I want to search for all src hosts that connect to a specific destination with or without intermediary hopes. I want to use a recursive query on the core firewall logs and its dest and src fields to find all sources.
Would you please help me with this query?

 

Tags (2)
0 Karma

tscroggins
Influencer

@jg91 

Can you describe your events? Are you using one source type with src and dest fields? What "connects" a src to a dest if intermediate connections exist?

0 Karma

jg91
Path Finder

My events are firewall events with src, dest, and actions fields, and a firewall log event with allowed action is the connection between two nodes.

My events:

A -> target (raw event:  src=A dest=target action=allow)

B -> A (raw event: src=B dest=A action=allow)

C -> B (raw event: src=C dest=B action=allow)

D -> B (raw event: src=D dest=B action=allow)

A -> C (raw event: src=A dest=C action=allow)

C -> D (raw event: src=C dest=D action=allow)

My goal is to find A, B, C, D nodes (all nodes that have a route/connection to the target node) with a recursive query.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...