flowsearch

Loads a flow rule consisting of the subnet of the IP network, ports, and protocol conditions defined by a subquery, compares them with input records, and assigns all searched flow identifiers as arrays in the _flow field.

Syntax

flowsearch [ SUBQUERY ]
Required Parameters
[ SUBQUERY ]
Subquery to define the flow rules, enclosed in a pair of square brackets ([ ]).

Description

You can load the flow rule from any location, including a file, table, remote RDBMS, and the like, and the field configuration and type must match to be recognized as a valid rule. The number of flow rules to be applied to a subquery cannot exceed 10,000. From the 10,001th rule, they are ignored.

If the subquery fails, the cause of the error is output in the _flowsearch_error field. If you add an exception handling command that checks for the existence of the _flowsearch_error field value after the flowsearch command, unintended errors or malfunctions can be prevented.

Definition of input record fields

FieldTypeRequiredDescription
src_ipIP addressYesSource IP address
src_portIntegerNo (null allowed)Source port number
dst_ipIP addressYesDestination IP address
dst_portIntegerNo (null allowed)Destination port number
protocolStringNo (null allowed)Protocol

If the field type in the input record does not match, or if required fields are missing, the command outputs the record as it is without checking the flow rule.

Definition of flow rule fields

FieldTypeRequiredDescription
src_ipIP addressYesSource IP address
src_cidrIntegerYesSource netmask (0-32)
src_portIngegerNo (null allowed)Source port number (0-65535)
dst_ipIP addressYesDestination IP address
dst_cidrIntegerYesDestination netmask (0-32)
dst_portIntegerNo (null allowed)Destination port number (0-65535)
protocolStringNo (null allowed)Protocol (TCP, UDP, ICMP, ...)
flowArbitraryYesFlow identifier

Each time a record is provided into the flowsearch command, it compares the 5-tuple value input with the flow rule and assigns the matching flow identifier as a list in the _flow field.

Both the ip and cidr of the flow rule are required fields, but if the src_ip of the rule is 0.0.0.0 and the src_cidr is 0, it is true for all source IP addresses. So set 0.0.0.0/0 for the rule to allow all values for the source or destination.

For example, for the flow rule below, if the input record is src_ip=106.75.11.63, src_port=57776, dst_ip=106.246.20.67, dst_port=80, and protocol=TCP, then it matches with the flow 2, so the _flow=["flow2"] field is added to the output record.

Examples of flow rules

src_ipsrc_cidrsrc_portdst_ipdst_cidrdst_portprotocolflow
211.36.133.024null106.246.20.673280TCPflow1
106.75.11.024null106.246.20.6732nullTCPflow2

Usage

json "{}"
| eval src_ip=ip("106.75.11.63"),
    src_port=57776
| eval dst_ip=ip("106.246.20.67"),
    dst_port=80, protocol="TCP"
| # Initiating the flowsearch command that defines the flow search rule
| flowsearch [
    union [
        json "{}"
        | eval src_ip=ip("211.36.133.0"),
               dst_ip=ip("106.246.20.67"),
               flow="flow1"
    ]
    | union [
        json "{}"
        | eval src_ip=ip("106.75.11.0"),
               dst_ip=ip("106.246.20.67"),
               flow="flow2"
    ]
    | eval src_cidr=24, dst_cidr=32
]
| fields src_ip, src_port, dst_ip, dst_port, protocol, _flow