I'm having a little problem with matching events. Basically, I collect flows from an IPFIX (NetFlow) collector and each row is one half of the total flow. I can get to the individual lines, but I can't bind the two together. I've tried transaction, but it doesn't seem to work.
I'm basically looking to match the situation where src_port[row1] == dest_port[row2] and src_ip[row1] == dest_ip[row2]
Here's what I can do -- I just want to match each of the rows together -or- if there is no match, just show the single row:
index=ipfix
| eval srcp=mvindex(src_port,0)
| eval destp=mvindex(dest_port,0)
| stats count(tcp_seq_num) as seqcnt by src_ip, dest_ip, srcp, destp
| table seqcnt, srcp, destp, src_ip, dest_ip
seqcnt srcp destp src_ip dest_ip
5 80 56311 77.234.41.24 10.10.10.10
4 56311 80 10.10.10.10 77.234.41.24
3 61860 80 10.10.11.11 5.153.253.76
3 80 61860 5.153.253.76 10.10.11.11
1 58731 53 10.10.11.12 8.8.8.8
Appreciate any help!
Give this a try
index=ipfix
| eval srcp=mvindex(src_port,0)
| eval destp=mvindex(dest_port,0)
| eval ip_addresses=mvsort(split(src_ip."#".dest_ip,"#"))
| stats list(srcp) as srcp list(destp) as destp list(src_ip) as src_ip list(dest_ip) as dest_ip count(tcp_seq_num) as seqcnt by ip_addresses