Splunk Search

How to find events that match except with the fields reversed.

zaludma
Engager

I am trying to figure out how to display all of the reverse matches in a list by each event. This would include showing the original event and all events that match with that event except for having the fields reversed. For example:

 

Foo Bar

 

Would be displayed along with all reverse matches represented by:

 

Bar Foo

 

 So if there were a thousand or so values, it would go down the list and find all reverse matches.

 

Foo Bar    |    Bar Foo
           |    Bar Foo
           |    Bar Foo
-----------------------------
Hello There|    There Hello
           |    There Hello
-----------------------------
Src Dst    |    Dst Src
           |    Dst Src
           |    Dst Src
           |    Dst Src

 

I am not sure where to go from here (https://wiki.splunk.com/Deploy:Combine_bi-directional_network_logs).

Using the example from this page, if I wanted to find bidirectional communications using these logs:

 

2007-09-14 10:54:58.130 0.896 TCP 216.129.82.250:2691 -> 209.104.58.141:80 3 144 1

2007-09-14 10:54:55.378 5.184 TCP 209.191.118.103:25 -> 209.104.37.200:26490 26 1453 1

 

I would want to search based on Source IP/Port and Destination IP/Port. I would be looking for matches based on those flipped values like:

 

<date> <time> <duration> <protocol> 209.104.58.141:80 -> 216.129.82.250:2691 <etc.>

<date> <time> <duration> <protocol> 209.104.37.200:26490 -> 209.191.118.103:25 <etc.> 

 

Field names would be "src_ip", "src_port", "dst_ip", and "dst_port".

Labels (5)
0 Karma

saravanan90
Contributor

This may help...

base search  |stats count by src_ip src_port dst_ip dst_port
| eval src=(replace(src_ip,"\.","").src_port) | eval dst=(replace(dst_ip,"\.","").dst_port) | table src_ip, src, src_port,dst,dst_ip,dst_port
| eval commonid=if(src>dst, src.src_port.dst.dst_port, dst.dst_port.src.src_port)
| eventstats count by commonid
| where count > 1

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @zaludma,

Can you please show your query and its output that you want to find reverse matches? Are we talking specific fields/values?  

If this reply helps you an upvote and "Accept as Solution" is appreciated.

zaludma
Engager

@scelikok I will use the data from the link as an example. I am trying to find bidirectional netflow based on IPs and Ports. I will add examples to the post.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...