Find 2 way communication in flow

Splunk Search

Looking for the most efficient way to find 2 way traffic in flow data for a particular set of IP/port/protocol combinations:

index=flow protocol=6 AND src_port IN (94, 407, 1417, 1418, 1419, 1420)
OR dest_port IN (94, 407, 1417, 1418, 1419, 1420) AND NOT src_port IN ( 21, 22) AND NOT dest_port IN ( 21, 22)

This gets us the inital data set but having trouble formulating an efficient way to find matching events where src_ip = dest_ip and dest_ip = src_ip
from the intial query and flow protocol=6 AND src_port IN (94, 407, 1417, 1418, 1419, 1420) OR dest_port IN (94, 407, 1417, 1418, 1419, 1420)
AND NOT src_port IN ( 21, 22) AND NOT dest_port IN ( 21, 22)

For example:

src_ip = 10.1.1.10, src_port=94, dest_ip= 10.1.1.1, dest_port=407

would match:

src_ip = 10.1.1.1, src_port=94, dest_ip= 10.1.1.10, dest_port=407

src_ip = 10.1.1.1, src_port=1418, dest_ip= 10.1.1.10, dest_port=407

Get Updates on the Splunk Community!

Find 2 way communication in flow

join

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation

Find 2 way communication in flow

join

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...