Neo4j Commands App
https://splunkbase.splunk.com/app/5495/
Last updated
Was this helpful?
https://splunkbase.splunk.com/app/5495/
Last updated
Was this helpful?
This Splunk app introduces a couple of new Splunk search commands to work with a Neo4j graph database. If you want to know more about Neo4j and graph database please go here: What is a Graph Database.
This app introduces the following new Splunk search commands in which the "g" stands for graph:
gsearch : Type reporting command. Can be used to either get results from Neo4j as generating command or take results from a previous Splunk command and lookup that data into the Neo4j database.
neo4jsearch: Depricated, please use gsearch. Only here for backwards compatibility as this was the first command created.
gsearchgen: Type event generation command and outputs to reporting pipeline. This command should be the first in the SPL and delivers the results in the reporting tab. It can only be used to search for data in Neo4j and outputs that to Splunk.
gpath: Type event generation command and outputs to reporting pipeline. This command is specially designed to work with the CMDM solution as it reports fixed CMDB information. The input for this command is a so-called path.
On top of the above commands, this app offers a user interface to define several Neo4j accounts and environments and storing the passwords in a secure way on the Splunk Search Heads.
This app is part of a bigger project what I call Common Metadata Data Model (CMDM). This app "Neo4j Commands" app is containing the search command to query a general Neo4j graph database but also the CMDM. The CMDM has also based on a Neo4j graph database but it will contain CMDB, Incident, Problem, Change, User and Group information, and other data. The "CMDM" app is (or will be in the short future) also on Splunkbase and will contain the configuration part of the CMDM, the configuration of the ServiceNow CMDM + IPC import, and a modular input to get data out of Splunk directly into the CMDM.
Part of the "Neo4j Commands" app is a Configuration Dashboard which has one tab called "Account".
That screen shows an overview of all the accounts defined and the username belonging to the account. The "Account name" is the name to use with the search commands. The "neo4j" account name is the default and cannot and should not be removed. The default "neo4j" account name is used when no "account" parameter is specified with one of the search commands or when "account=neo4j" is specified. It is not necessary to specify the content of the "neo4j" account. The search commands will not generate any output. But as it is the default maybe just specify it for the ease of users.
Either "add" a new account and specify the following fields or edit (Action -> Edit) one.
A future release will also contain a database field. Ask your Neo4j database engineer for the correct protocol. As the configured accounts are used to query the configured database(s) please specify a read-only user and maybe even further restrict the access rights in the Neo4j database. This "Neo4j Commands" app is prepared to work with Neo4j Aura (SAAS). The password will not only be visible but it is also encrypted stored on the Splunk file system (on the SearchHead in 'passwords.conf' within the "Neo4j Commands" app). Only Splunk admins can add/remove accounts. For all Splunk users using the "Neo4j Commands" search commands, they need to have the "list_storage_passwords" capability.
For the accounts, it is best to specify Neo4j users with only read access or even further restrictions. But the search commands do come with built-in filters to filter out "CREATE, DELETE and MERGE" statements. So by design, it is not possible to modify Neo4j database content. The insertion or modification of Neo4j data capability is within the "CMDM" app.
The gsearch command is a reporting command. It can be used to either get results from Neo4j as generating command or take results from a previous Splunk command and lookup that data into the Neo4j database. The neo4jsearch command is exactly the same as the gsearch command and is only there because the neo4jsearch command was there earlier than the gsearch. This neo4jsearch command will be deleted somewhere in the future. And if used it will present that as a warning message to the user.
The parameters are:
query: Mandatory. The query should be a valid Neo4j cypher query. For more information about cypher: https://neo4j.com/developer/cypher/. Example: query="MATCH (o:Order)-->(p:Product) RETURN o.name, p.name".
account: Optional. When omitted as a whole the default built-in account "neo4j" is used. If that "neo4j" account is filled in and valid it will return results otherwise it doesn't. When "account" is used it should be a valid account as defined in the Configuration -> Account section ("Account name"), otherwise it will generate a warning to the user.
fields: Specify a comma list of fields from the previous Splunk output. Once at least one field is specified the query can make use of them. They can be referred to as "splunk.". The following is an example. The query is searching Neo4j with label is equal to "Server" and where its attribute has the value "splunk.cpu_count" and then returns the name and the number of Servers with the same name. The variable "splunk.cpu_count" refers to the "cpu_count" variable before the gsearch command. Only variables specified within the fields can be used within the query.
The gsearchgen offers the same as the gsearch command but now it is a real generating command. Meaning it must start with a "|" and be the first command. The results though will not be in the Events tab but in the Statistics (reporting) tab.
For a description of the parameters see the gsearch command.
The gpath command is designed to output CMDB (Configuration Management DataBase) information. And some of the output options are specially meant to work for and with Splunk IT Service Intelligence.
The parameters are:
query: Mandatory. The query should be a valid Neo4j cypher query but now it should return a path. For more information about cypher: https://neo4j.com/developer/cypher/. Example: query="MATCH p=(:Order)--(:Product) RETURN p". The trick here is the variable is equal to a certain path. One or more pathes can be part of the query.
account: Optional. When omitted as a whole the default built-in account "neo4j" is used. If that "neo4j" account is filled in and valid it will return results otherwise it doesn't. When "account" is used it should be a valid account as defined in the Configuration -> Account section ("Account name"), otherwise it will generate a warning to the user.
output: Optional. When omitted the output will be set to "cmdb". The following values can be used:
cmdb: presents the output of the cypher query. This is the default when no output is specified. Can be executed on ITSI Search Heads or non-ITSI Search Heads.
services: presents a list of all of the currently defined Splunk ITSI Services. Can only be used on a Splunk ITSI Server.
entities: presents a list of all of the currently defined Splunk ITSI Entities. Can only be used on a Splunk ITSI Server.
itsi: presents the output of the cypher query in a format that can be consumed by Splunk ITSI immediately to import Services, depending Services and Entities.
delta: compares the cypher query with what is currently configured in Splunk ITSI. A zero in the return output means it cannot be found within Splunk ITSI a one means it is found.
entitities: Only valid in combination with "output=itsi or output-delta". Optional. Specify a comma-separated list of path nodes which should be Splunk ITSI entities. E.g. entities="Linux Server" marks the node LinuxServer as an entity ("E"). If a path node is not part of this option or part of the serviceentities option it stays automatically a "S"(Service).
serviceentitites: Only valid in combination with "output=itsi or output-delta". Optional. Specify a comma-separated list of path nodes which should be Splunk Services as well as Splunk Entities.
