Match rows based on matching fields (src_port + de...

jackhamm25 · ‎08-22-2017

I'm having a little problem with matching events. Basically, I collect flows from an IPFIX (NetFlow) collector and each row is one half of the total flow. I can get to the individual lines, but I can't bind the two together. I've tried transaction, but it doesn't seem to work.

I'm basically looking to match the situation where src_port[row1] == dest_port[row2] and src_ip[row1] == dest_ip[row2]

Here's what I can do -- I just want to match each of the rows together -or- if there is no match, just show the single row:

index=ipfix 
| eval srcp=mvindex(src_port,0) 
| eval destp=mvindex(dest_port,0) 
| stats count(tcp_seq_num) as seqcnt by src_ip, dest_ip, srcp, destp
| table seqcnt, srcp, destp, src_ip, dest_ip

seqcnt      srcp     destp      src_ip          dest_ip
5           80       56311      77.234.41.24    10.10.10.10
4           56311    80         10.10.10.10     77.234.41.24
3           61860    80         10.10.11.11     5.153.253.76
3           80       61860      5.153.253.76    10.10.11.11
1           58731    53         10.10.11.12     8.8.8.8

Appreciate any help!

somesoni2 · ‎08-22-2017

Give this a try

index=ipfix 
 | eval srcp=mvindex(src_port,0) 
 | eval destp=mvindex(dest_port,0)
 | eval ip_addresses=mvsort(split(src_ip."#".dest_ip,"#"))
| stats list(srcp) as srcp list(destp) as destp list(src_ip) as src_ip list(dest_ip) as dest_ip count(tcp_seq_num) as seqcnt by ip_addresses

Match rows based on matching fields (src_port + dest_port)

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation