Create relationship/properties on existing nodes

Hello folks,
I imported Log Data in Neo4j from Elastic Search and the next step would be the connection of the (raw) events to each other:

The following cypher:

MATCH (e:event)
WHERE not e.destination_IP = "empty"
return e.timestamp, e.source_IP, e.host_NAME, e.network_DIRECTION,e.client_PORT,e.destination_IP, e.server_IP 
LIMIT 10

shows some of these events:

e.host_NAME		e.source_IP			e.network_DIRECTION	e.destination_IP
"guac"			"192.168.178.26"	"outbound"			"192.168.178.73"
"guac"			"127.0.0.1"			"outbound"			"127.0.0.1"
"guac"			"192.168.178.52"	"inbound"			"192.168.178.26"
"guac"			"127.0.0.1"			"unknown"			"127.0.0.1"
"guac"			"192.168.178.26"	"outbound"			"192.168.178.1"
"guac"			"192.168.178.26"	"outbound"			"192.168.178.1"
"guac"			"127.0.0.1"			"outbound"			"127.0.0.53"
"nginx"			"192.168.178.26"	"inbound"			"192.168.178.73"
"guac"			"192.168.178.52"	"inbound"			"192.168.178.26"

I tried to find events with the same IP relation - (3.10.2.2. Create a relationship and set properties)

MATCH (a:event),(b:event)
 WHERE a.destination_IP = b.source_IP
 create (a.source_IP)-[:direction {e.network_DIRECTION}]-(b.destination_IP)
 return a,b		

This does NOT work ends with an error:

Invalid input '.': expected an identifier character, whitespace, COPY, node labels, a property map, ')' or a relationship pattern (line 3, column 11 (offset: 74))
" create (a.source_IP)-[:direction {e.network_DIRECTION}]-(b.destination_IP)"

and I tried a statement without relationship:

MATCH (a:event),(b:event)
 WHERE a.destination_IP = b.source_IP

 return a,b	

this ends with a black screen as I ignored the "cartessian product error warning"

Is there a hint to create the relationship ?
Is there a good way to find events with the same identifier like IP-Adress?
Any other hints ?

Greetings Sebastian

Hello,

The error you're getting is because you're attempting to use properties in the pattern where only the node variable is needed.

In your pattern, instead of (a.source_IP) and (b.destination_IP) use this instead:

(a) and (b). That is assuming that those are the nodes you're trying to connect. If not, then you need an additional MATCH to whatever nodes are ultimately meant to be connected by this query.

Also the properties section of the relationship in your CREATE isn't correct.

[:direction {e.network_DIRECTION}]

For one, there isn't a property mapping here. We don't know which property you're trying to set on the relationship, there is no property key. An example of property syntax here might be {name: a.name}, as it provides the property key and the value to use.

Additionally there is no variable e in scope, so even if you had something like [:direction {direction: e.network_DIRECTION}] it would fail, since e doesn't exist.

Also, when using a CREATE, the relationship must have a direction, signified by an arrow in the pattern pointing to one node or the other.

Also you seem to be mixing up your variables. You joined to events by a.destination_IP = b.source_IP, but your create seems to show you want to connect from a's source_IP to b's destination_IP.

With your hints I get the first relationship between the nodes-THX!

My first first statement produces over 200K relationships between 5000 nodes and there was a ressources warning.
Actually I work with 500 nodes and a where statement that filters unnecessary relationships out:

MATCH (a:event),(b:event)
 WHERE a.destination_IP = b.source_IP and not a.destination_IP = "127.0.0.1" and not a.destination_IP ="empty"
 create (a)-[r:n_d {network: a.network_DIRECTION}]->(b)
 return a,b	
 LIMIT 50

I think the next step would be more considerations about the graph model.

Are there any hints to model graphs with log data?

Greetings Sebastian