Re: Recursive query with unlimited depth

jg91 · ‎03-13-2021

Hello,

I want to search for all src hosts that connect to a specific destination with or without intermediary hopes. I want to use a recursive query on the core firewall logs and its dest and src fields to find all sources.
Would you please help me with this query?

tscroggins · ‎03-13-2021

@jg91

Can you describe your events? Are you using one source type with src and dest fields? What "connects" a src to a dest if intermediate connections exist?

jg91 · ‎03-13-2021

My events are firewall events with src, dest, and actions fields, and a firewall log event with allowed action is the connection between two nodes.

My events:

A -> target (raw event: src=A dest=target action=allow)

B -> A (raw event: src=B dest=A action=allow)

C -> B (raw event: src=C dest=B action=allow)

D -> B (raw event: src=D dest=B action=allow)

A -> C (raw event: src=A dest=C action=allow)

C -> D (raw event: src=C dest=D action=allow)

My goal is to find A, B, C, D nodes (all nodes that have a route/connection to the target node) with a recursive query.

Recursive query with unlimited depth

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation