Head's Up! These forums are read-only. All users and content have migrated. Please join us at community.neo4j.com.
01-31-2020 11:00 AM
Hello folks,
I imported Log Data in Neo4j from Elastic Search and the next step would be the connection of the (raw) events to each other:
The following cypher:
MATCH (e:event)
WHERE not e.destination_IP = "empty"
return e.timestamp, e.source_IP, e.host_NAME, e.network_DIRECTION,e.client_PORT,e.destination_IP, e.server_IP
LIMIT 10
shows some of these events:
e.host_NAME e.source_IP e.network_DIRECTION e.destination_IP
"guac" "192.168.178.26" "outbound" "192.168.178.73"
"guac" "127.0.0.1" "outbound" "127.0.0.1"
"guac" "192.168.178.52" "inbound" "192.168.178.26"
"guac" "127.0.0.1" "unknown" "127.0.0.1"
"guac" "192.168.178.26" "outbound" "192.168.178.1"
"guac" "192.168.178.26" "outbound" "192.168.178.1"
"guac" "127.0.0.1" "outbound" "127.0.0.53"
"nginx" "192.168.178.26" "inbound" "192.168.178.73"
"guac" "192.168.178.52" "inbound" "192.168.178.26"
I tried to find events with the same IP relation - (3.10.2.2. Create a relationship and set properties)
MATCH (a:event),(b:event)
WHERE a.destination_IP = b.source_IP
create (a.source_IP)-[:direction {e.network_DIRECTION}]-(b.destination_IP)
return a,b
This does NOT work ends with an error:
Invalid input '.': expected an identifier character, whitespace, COPY, node labels, a property map, ')' or a relationship pattern (line 3, column 11 (offset: 74))
" create (a.source_IP)-[:direction {e.network_DIRECTION}]-(b.destination_IP)"
and I tried a statement without relationship:
MATCH (a:event),(b:event)
WHERE a.destination_IP = b.source_IP
return a,b
this ends with a black screen as I ignored the "cartessian product error warning"
Is there a hint to create the relationship ?
Is there a good way to find events with the same identifier like IP-Adress?
Any other hints ?
Greetings Sebastian
01-31-2020 11:33 AM
Hello,
The error you're getting is because you're attempting to use properties in the pattern where only the node variable is needed.
In your pattern, instead of (a.source_IP)
and (b.destination_IP)
use this instead:
(a)
and (b)
. That is assuming that those are the nodes you're trying to connect. If not, then you need an additional MATCH to whatever nodes are ultimately meant to be connected by this query.
Also the properties section of the relationship in your CREATE isn't correct.
[:direction {e.network_DIRECTION}]
For one, there isn't a property mapping here. We don't know which property you're trying to set on the relationship, there is no property key. An example of property syntax here might be {name: a.name}
, as it provides the property key and the value to use.
Additionally there is no variable e
in scope, so even if you had something like [:direction {direction: e.network_DIRECTION}]
it would fail, since e
doesn't exist.
Also, when using a CREATE, the relationship must have a direction, signified by an arrow in the pattern pointing to one node or the other.
Also you seem to be mixing up your variables. You joined to events by a.destination_IP = b.source_IP
, but your create seems to show you want to connect from a's source_IP to b's destination_IP.
02-02-2020 02:45 AM
With your hints I get the first relationship between the nodes-THX!
My first first statement produces over 200K relationships between 5000 nodes and there was a ressources warning.
Actually I work with 500 nodes and a where statement that filters unnecessary relationships out:
MATCH (a:event),(b:event)
WHERE a.destination_IP = b.source_IP and not a.destination_IP = "127.0.0.1" and not a.destination_IP ="empty"
create (a)-[r:n_d {network: a.network_DIRECTION}]->(b)
return a,b
LIMIT 50
I think the next step would be more considerations about the graph model.
Are there any hints to model graphs with log data?
Greetings Sebastian
All the sessions of the conference are now available online