Hi All,

I couldn't find the way to better analyze AWS VPC flow logs due to the directional logging of AWS VPC, for example below I have 4 flow logs that are ingested in Splunk. Flow 1 and 4 need to be combined, because flow 1 is the outgoing connection from src_ip 10.x.y.208 to dest_ip 23.52.164.61 on the Internet, with src_port being 33112, and dest_port 443. Flow 4 is just the reply from the destination, and is record with reversed src_ip and dest_ip.

account_id ENI# src_ip dest_ip src_port dest_port protocol packets bytes start_time end_time action status

4 1234567890 eni-29ad3ad4 23.52.164.61 10.x.y.208 443 33112 6 7 3664 1519266668 1519266702 ACCEPT OK
3 1234567890 eni-29ad3ad4 23.208.128.39 10.x.y.208 443 51734 6 10 3851 1519266668 1519266702 ACCEPT OK
2 1234567890 eni-29ad3ad4 10.x.y.208 23.36.32.127 59818 443 6 2 135 1519266668 1519266702 ACCEPT OK
1 1234567890 eni-29ad3ad4 10.x.y.208 23.52.164.61 33112 443 6 7 1290 1519266668 1519266702 ACCEPT OK

The question is how I can combine the two flows to show the total bytes which should be 1290+3664, as well as other information, in this case, this is a outbound connection from 10.x.y.208? Also is it possible to calculate the duration of the entire flow using the start_time of flow 1 and end_time of flow 4?

I hope the question is made clear, but please let me know if I need to elaborate on this.

Thanks in advance!