Recursive query with unlimited depth

jg91 · ‎03-13-2021

Hello,

I want to search for all src hosts that connect to a specific destination with or without intermediary hopes. I want to use a recursive query on the core firewall logs and its dest and src fields to find all sources.
Would you please help me with this query?

tscroggins · ‎03-13-2021

@jg91

Can you describe your events? Are you using one source type with src and dest fields? What "connects" a src to a dest if intermediate connections exist?

jg91 · ‎03-13-2021

My events are firewall events with src, dest, and actions fields, and a firewall log event with allowed action is the connection between two nodes.

My events:

A -> target (raw event: src=A dest=target action=allow)

B -> A (raw event: src=B dest=A action=allow)

C -> B (raw event: src=C dest=B action=allow)

D -> B (raw event: src=D dest=B action=allow)

A -> C (raw event: src=A dest=C action=allow)

C -> D (raw event: src=C dest=D action=allow)

My goal is to find A, B, C, D nodes (all nodes that have a route/connection to the target node) with a recursive query.

Recursive query with unlimited depth

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

Recursive query with unlimited depth

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0