I couldn't find the way to better analyze AWS VPC flow logs due to the directional logging of AWS VPC, for example below I have 4 flow logs that are ingested in Splunk. Flow 1 and 4 need to be combined, because flow 1 is the outgoing connection from srcip 10.x.y.208 to destip 184.108.40.206 on the Internet, with srcport being 33112, and destport 443. Flow 4 is just the reply from the destination, and is record with reversed srcip and destip.
The question is how I can combine the two flows to show the total bytes which should be 1290+3664, as well as other information, in this case, this is a outbound connection from 10.x.y.208? Also is it possible to calculate the duration of the entire flow using the starttime of flow 1 and endtime of flow 4?
I hope the question is made clear, but please let me know if I need to elaborate on this.