Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Recursive query with unlimited depth

jg91
Path Finder
‎03-13-2021 05:05 AM

Hello,

I want to search for all src hosts that connect to a specific destination with or without intermediary hopes. I want to use a recursive query on the core firewall logs and its dest and src fields to find all sources.
Would you please help me with this query?

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

tscroggins
Influencer
‎03-13-2021 02:10 PM

@jg91 

Can you describe your events? Are you using one source type with src and dest fields? What "connects" a src to a dest if intermediate connections exist?

0 Karma
Reply

jg91
Path Finder
‎03-13-2021 07:10 PM

My events are firewall events with src, dest, and actions fields, and a firewall log event with allowed action is the connection between two nodes.

My events:

A -> target (raw event:  src=A dest=target action=allow)

B -> A (raw event: src=B dest=A action=allow)

C -> B (raw event: src=C dest=B action=allow)

D -> B (raw event: src=D dest=B action=allow)

A -> C (raw event: src=A dest=C action=allow)

C -> D (raw event: src=C dest=D action=allow)

My goal is to find A, B, C, D nodes (all nodes that have a route/connection to the target node) with a recursive query.

0 Karma
Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! 🎉 ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...