I'm having a little problem with matching events. Basically, I collect flows from an IPFIX (NetFlow) collector and each row is one half of the total flow. I can get to the individual lines, but I can't bind the two together. I've tried transaction, but it doesn't seem to work.
I'm basically looking to match the situation where src_port[row1] == dest_port[row2] and src_ip[row1] == dest_ip[row2]
Here's what I can do -- I just want to match each of the rows together -or- if there is no match, just show the single row:
| eval srcp=mvindex(src_port,0)
| eval destp=mvindex(dest_port,0)
| eval ip_addresses=mvsort(split(src_ip."#".dest_ip,"#"))
| stats list(srcp) as srcp list(destp) as destp list(src_ip) as src_ip list(dest_ip) as dest_ip count(tcp_seq_num) as seqcnt by ip_addresses