Splunk Search

Match rows based on matching fields (src_port + dest_port)

Explorer

I'm having a little problem with matching events. Basically, I collect flows from an IPFIX (NetFlow) collector and each row is one half of the total flow. I can get to the individual lines, but I can't bind the two together. I've tried transaction, but it doesn't seem to work.

I'm basically looking to match the situation where src_port[row1] == dest_port[row2] and src_ip[row1] == dest_ip[row2]

Here's what I can do -- I just want to match each of the rows together -or- if there is no match, just show the single row:

index=ipfix 
| eval srcp=mvindex(src_port,0) 
| eval destp=mvindex(dest_port,0) 
| stats count(tcp_seq_num) as seqcnt by src_ip, dest_ip, srcp, destp
| table seqcnt, srcp, destp, src_ip, dest_ip

seqcnt      srcp     destp      src_ip          dest_ip
5           80       56311      77.234.41.24    10.10.10.10
4           56311    80         10.10.10.10     77.234.41.24
3           61860    80         10.10.11.11     5.153.253.76
3           80       61860      5.153.253.76    10.10.11.11
1           58731    53         10.10.11.12     8.8.8.8

Appreciate any help!

0 Karma

SplunkTrust
SplunkTrust

Give this a try

index=ipfix 
 | eval srcp=mvindex(src_port,0) 
 | eval destp=mvindex(dest_port,0)
 | eval ip_addresses=mvsort(split(src_ip."#".dest_ip,"#"))
| stats list(srcp) as srcp list(destp) as destp list(src_ip) as src_ip list(dest_ip) as dest_ip count(tcp_seq_num) as seqcnt by ip_addresses
0 Karma