Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Find 2 way communication in flow

ky129q
Engager
‎09-28-2021 04:53 AM

Looking for the most efficient way to find 2 way traffic in flow data for a particular set of IP/port/protocol combinations:

index=flow protocol=6 AND src_port IN (94, 407, 1417, 1418, 1419, 1420)
OR dest_port IN (94, 407, 1417, 1418, 1419, 1420) AND NOT src_port IN ( 21, 22) AND NOT dest_port IN ( 21, 22)

This gets us the inital data set but having trouble formulating an efficient way to find matching events where src_ip = dest_ip and dest_ip = src_ip
from the intial query and flow protocol=6 AND src_port IN (94, 407, 1417, 1418, 1419, 1420) OR dest_port IN (94, 407, 1417, 1418, 1419, 1420)
AND NOT src_port IN ( 21, 22) AND NOT dest_port IN ( 21, 22)

For example:

src_ip = 10.1.1.10,  src_port=94,  dest_ip= 10.1.1.1, dest_port=407 

would match:

src_ip = 10.1.1.1,  src_port=94,  dest_ip= 10.1.1.10, dest_port=407 

src_ip = 10.1.1.1,  src_port=1418,  dest_ip= 10.1.1.10, dest_port=407

Labels (2)
Labels
Tags (2)
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...