looping a function

nadlurinadluri · ‎07-09-2020

HI Splunkers,

I am looking for some help on loops in splunk. I have a lookup file like below.

from,to
parent,child1
parent,child2
parent,xyz
child1,son1
child1,daughter1
child2,son2
child2,daughter2
xyz,kid1
son1,kid1
son2,kid2

I want to know all those nodes which has some kind of direct relation (like a network path) to kid1.. the output should be kid1,son1,child1,parent,xyz
kid1---> son1
son1 -->child1
child1--->parent
kid1--> xyz
xyz--> parent

I have the below query which gives me the required output. but as you can see I ran the lookup file multiple times to get the path, but I dont want to do it. I want to have a loop till we reach the end as "Parent" for each node. I know SPLis not a programming language , but curious to know if this is possible. Please help.

| makeresults
| eval find="kid1"
| lookup network.csv to AS find output from
| mvexpand from
| lookup network.csv to AS from output from AS from1
| mvexpand from1
| lookup network.csv to AS from1 output from AS from2
| mvexpand from2
| eval newField=find."-".from."-".from1
| makemv delim="-" newField
| table newField
| mvexpand newField
| dedup newField
| stats values(newField) As output

niketn · ‎07-09-2020

@nadlurinadluri I think what is more important to know is that what do you want to do when you identify parent/child relationship recursively. If this is use case around visualizing the relationship, the original from to data can plug in directly into so many visualizations built for Graph and Relationships. If we have better understanding of your actual use case the visualizations can be converted to the story of your choice. There are several Custom Visualization Apps that you can find on Splunkbase:

And many more 🙂

Following is a run anywhere example with some of the Custom Visualizations from the above list. However each visualization is way more powerful than depicted depending on the Use Case. I have just used the from/to table provided in the question to build these.

Following is the Simple XML Code which will work only after respective Custom Visualization is installed.

<dashboard>
  <label>Relationship Mapping</label>
  <row>
    <panel>
      <title>Sankey</title>
      <viz type="sankey_diagram_app.sankey_diagram">
        <search>
          <query>| makeresults 
| fields - _time
| eval data="parent,child1;parent,child2;parent,xyz;child1,son1;child1,daughter1;child2,son2;child2,daughter2;xyz,kid1;son1,kid1;son2,kid2" 
| makemv data delim=";" 
| mvexpand data 
| makemv data delim="," 
| eval from=mvindex(data,0), to=mvindex(data,1)
| fields from to</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="height">394</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
    <panel>
      <title>Parallel Coordinates</title>
      <viz type="parallel_coordinates_app.parallel_coordinates">
        <search>
          <query>| makeresults 
| fields - _time
| eval data="parent,child1;parent,child2;parent,xyz;child1,son1;child1,daughter1;child2,son2;child2,daughter2;xyz,kid1;son1,kid1;son2,kid2" 
| makemv data delim=";" 
| mvexpand data 
| makemv data delim="," 
| eval from=mvindex(data,0), to=mvindex(data,1)
| table from to</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="height">393</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
    <panel>
      <title>Force Directed Visualization</title>
      <viz type="force_directed_viz.force_directed">
        <search>
          <query>| makeresults 
| fields - _time
| eval data="parent,child1;parent,child2;parent,xyz;child1,son1;child1,daughter1;child2,son2;child2,daughter2;xyz,kid1;son1,kid1;son2,kid2" 
| makemv data delim=";" 
| mvexpand data 
| makemv data delim="," 
| eval from=mvindex(data,0), to=mvindex(data,1)
| fields from to</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="height">396</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
  <row>
    <panel>
      <title>Flow Map Viz</title>
      <viz type="flow_map_viz.flow_map_viz">
        <search>
          <query>| makeresults 
| fields - _time
| eval data="parent,child1;parent,child2;parent,xyz;child1,son1;child1,daughter1;child2,son2;child2,daughter2;xyz,kid1;son1,kid1;son2,kid2" 
| makemv data delim=";" 
| mvexpand data 
| makemv data delim="," 
| eval from=mvindex(data,0), to=mvindex(data,1)
| fields from to</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="height">354</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
    <panel>
      <title>Network Diagram Viz</title>
      <viz type="network-diagram-viz.network-diagram-viz">
        <search>
          <query>| makeresults 
| fields - _time
| eval data="parent,child1;parent,child2;parent,xyz;child1,son1;child1,daughter1;child2,son2;child2,daughter2;xyz,kid1;son1,kid1;son2,kid2" 
| makemv data delim=";" 
| mvexpand data 
| makemv data delim="," 
| eval from=mvindex(data,0), to=mvindex(data,1)
| eval value=from
| fields from to value</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="height">351</option>
        <option name="network-diagram-viz.network-diagram-viz.arrowLocation">none</option>
        <option name="network-diagram-viz.network-diagram-viz.canZoom">true</option>
        <option name="network-diagram-viz.network-diagram-viz.clusterBy">none</option>
        <option name="network-diagram-viz.network-diagram-viz.defaultNodeType">circle</option>
        <option name="network-diagram-viz.network-diagram-viz.draggableNodes">true</option>
        <option name="network-diagram-viz.network-diagram-viz.enablePhysics">true</option>
        <option name="network-diagram-viz.network-diagram-viz.hierarchy">true</option>
        <option name="network-diagram-viz.network-diagram-viz.hierarchyDirection">Top-Down</option>
        <option name="network-diagram-viz.network-diagram-viz.hierarchySortMethod">directed</option>
        <option name="network-diagram-viz.network-diagram-viz.linkTextLocation">bottom</option>
        <option name="network-diagram-viz.network-diagram-viz.linkTextSize">medium</option>
        <option name="network-diagram-viz.network-diagram-viz.nodeTextSize">medium</option>
        <option name="network-diagram-viz.network-diagram-viz.smoothEdgeType">dynamic</option>
        <option name="network-diagram-viz.network-diagram-viz.smoothEdges">true</option>
        <option name="network-diagram-viz.network-diagram-viz.tokenNode">nd_node_token</option>
        <option name="network-diagram-viz.network-diagram-viz.tokenToNode">nd_to_node_token</option>
        <option name="network-diagram-viz.network-diagram-viz.tokenToolTip">nd_tooltip_token</option>
        <option name="network-diagram-viz.network-diagram-viz.tokenValue">nd_value_token</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
</dashboard>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

nadlurinadluri · ‎07-09-2020

Awesome, thanks for the graphs!! Really Appreciate it.

Also, I have built a similar one (network graph) on react web framework. The reason I am requesting for that particular data is, if at all something happens to the node (say kid1) I am able to assign a color red to it (by passing a new column ofcourse). In a similar way, I want to find out the parent-child relationship data and convert all of them into red. So I just need to add a search which takes kid1 as red, and gives xyz,child1,son1,parent as red too.

I was able to achieve this using js in my code, but personally I dont like doing any data operations outside of Splunk. Hence trying to figure out how to get this recursive loop function and get the expected output.

Below is a high level view of how I am planning to get the output as. Changing just the color of kid1 is possible, but I am unable to get the info till parent. Do you think that can be achieved?

Thanks for the help.

niketn · ‎07-22-2020

@nadlurinadluri if you have created your own custom viz, you can handle color KPI using SPL and assign same color code to entire tree. In the JS Part you can split the value and KPI color and use color for a particular tree and show the values. Similar approach for a different use case (Table cell coloring) is available here: https://community.splunk.com/t5/Dashboards-Visualizations/How-do-you-highlight-a-table-cell-based-on...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

nadlurinadluri · ‎07-09-2020

HI @niketn @woodcock can you help me here if possible. thanks

looping a function

lookup

Preparing your Splunk Environment for OpenSSL3

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...