https://community.splunk.com/t5/Splunk-Search/Matching-events-with-same-values-across-different-fields/m-p/572249#M199444 <P>If this isn't sufficient</P><LI-CODE lang="markup">| where source_port&gt;destination_port</LI-CODE><P>try this</P><LI-CODE lang="markup">| makeresults | eval _raw="source_ip source_port destination_ip destination_port 1.1.1.1 42000 2.2.2.2 80 2.2.2.2 80 1.1.1.1 42000 1.1.1.5 42300 2.2.2.2 80 3.3.3.3 134 5.5.5.5 80" | multikv forceheader=1 | table source_ip source_port destination_ip destination_port | eval highport=if(source_port&gt;destination_port,source_ip.":".source_port.",".destination_ip.":".destination_port,destination_ip.":".destination_port.",".source_ip.":".source_port) | eventstats count by highport | where count=1 OR highport=source_ip.":".source_port.",".destination_ip.":".destination_port</LI-CODE> Mon, 25 Oct 2021 11:50:54 GMT ITWhisperer 2021-10-25T11:50:54Z https://community.splunk.com/t5/Splunk-Search/Matching-events-with-same-values-across-different-fields/m-p/572239#M199440 <P>HI All</P><P>I have IP flow based information being ingested into Splunk, which consists of source_ip, source_port, destination_ip, destination_port.&nbsp;</P><P>Occasionally, due to the environmental factors, we get a duplicate log of the flow in the reverse direction.&nbsp;</P><P>E.g.</P><P>source_ip&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;source_port&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; destination_ip&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; destination_port</P><P>1.1.1.1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 42000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 2.2.2.2&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;80&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&lt;- &nbsp;Keep this</P><P>2.2.2.2.&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 80&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;1.1.1.1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;42000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &lt;- I would like to discard this&nbsp;</P><P>1.1.1.5&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;42300&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 2.2.2.2&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 80</P><P>3.3.3.3&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;134&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;5.5.5.5.&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 80 &nbsp; &nbsp;&nbsp; &nbsp;</P><P>My goal is to identify and ultimately filter out the duplicated entries.</P><P>What I am having trouble with is coming up with a query to flag events where there is a duplicate entry (in reverse direction).</P><P>I can then filter out the “flagged” duplicate entries where say source_port &lt; destination_port.</P><P>I am trying to avoid using computational heavy commands such as nested searches as the data set is quite large.&nbsp;</P><P>Would greatly appreciate some ideas or assistance on how this can be tackled.</P> Mon, 25 Oct 2021 10:52:34 GMT https://community.splunk.com/t5/Splunk-Search/Matching-events-with-same-values-across-different-fields/m-p/572239#M199440 devak 2021-10-25T10:52:34Z https://community.splunk.com/t5/Splunk-Search/Matching-events-with-same-values-across-different-fields/m-p/572249#M199444 <P>If this isn't sufficient</P><LI-CODE lang="markup">| where source_port&gt;destination_port</LI-CODE><P>try this</P><LI-CODE lang="markup">| makeresults | eval _raw="source_ip source_port destination_ip destination_port 1.1.1.1 42000 2.2.2.2 80 2.2.2.2 80 1.1.1.1 42000 1.1.1.5 42300 2.2.2.2 80 3.3.3.3 134 5.5.5.5 80" | multikv forceheader=1 | table source_ip source_port destination_ip destination_port | eval highport=if(source_port&gt;destination_port,source_ip.":".source_port.",".destination_ip.":".destination_port,destination_ip.":".destination_port.",".source_ip.":".source_port) | eventstats count by highport | where count=1 OR highport=source_ip.":".source_port.",".destination_ip.":".destination_port</LI-CODE> Mon, 25 Oct 2021 11:50:54 GMT https://community.splunk.com/t5/Splunk-Search/Matching-events-with-same-values-across-different-fields/m-p/572249#M199444 ITWhisperer 2021-10-25T11:50:54Z https://community.splunk.com/t5/Splunk-Search/Matching-events-with-same-values-across-different-fields/m-p/572258#M199448 <P>Thats fantastic, thank you.&nbsp;<BR />I really like the way you have solved it.<BR /><BR /></P> Mon, 25 Oct 2021 12:24:44 GMT https://community.splunk.com/t5/Splunk-Search/Matching-events-with-same-values-across-different-fields/m-p/572258#M199448 devak 2021-10-25T12:24:44Z