This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Head's Up! These forums are read-only. All users and content have migrated. Please join us at community.neo4j.com.

Importing Netflow (ish) issues

mcflyonly
Node

‎06-10-2019 08:25 PM

Hello,

I'm having some issues building proper relationships with neo4j and I assume this is due to my poor loading. I basically want to import something that is almost like netflow:

user, src_ip,dst_ip,protocol,packets,bytes,start_time,end_time,action,log-status
tom,10.0.1.243,10.0.1.185,88,64304,6,4,378,1763709753,1763709811,ACCEPT,OK
tom,10.0.1.185,10.0.1.243,64309,88,6,4,478,1763709753,1763709811,ACCEPT,OK

I created my nodes as follows:

MERGE(a: attribute {ip:{IP}})"
ON CREATE SET a = {ip:{IP}, user_id:{USER_ID}}"

And the relationship:

MATCH (a: attribute), (b: attribute) 
WHERE a.ip = {SRC_IP} AND b.ip = {DST_IP}
MERGE (a)-[rel: flow {start_time:{START_TIME},end_time:{END_TIME}}]->(b)
ON CREATE SET rel = { 
                             proto:{PROTO}, 
                             src_port:{SRC_PORT},
                             dst_port:{DST_PORT}, 
                             packets:{PACKETS}, 
                             bytes:{BYTES}, 
                             action:{ACTION}}
RETURN rel

Then I us py2neo with:

graph.schema.create_uniqueness_constraint("attribute", "ip")

Couple of problems it loads but very slow and fails after 200k relationships (there should be around 3M). With what is loaded I see the relationship type "flow" which is what I added but I can't query it in meaningful way (e.g. I can't seem to do ip.src_port any to ip.dst_port =~ "443" or find the volume of traffic between nodes etc...).

Could someone point me in the right direction ?

Thanks !

Labels:
Reply
2 REPLIES 2

stefan_armbrust
Neo4j
Neo4j

‎06-12-2019 07:46 AM

You should create your unique constraint prior to loading the data. The MATCH otherwise gets slower and slower.
Also consider transaction sizes - adding 200k rels in one tx might be too large.

0 Kudos
Reply

mcflyonly
Node
In response to stefan_armbrust

‎06-12-2019 08:28 AM

Hi @stefan.armbruster, I do not do 200k in one commits I do batch tx of 5000.
I just can't believe no one loaded netflow in neo4j I can't seem to find anything meaningful around netflow and neo4j.

0 Kudos
Reply
Nodes 2022
Nodes
NODES 2022, Neo4j Online Education Summit

All the sessions of the conference are now available online

Watch replays