Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find events that match except with the fields reversed.

zaludma
Engager
‎02-05-2021 11:06 AM

I am trying to figure out how to display all of the reverse matches in a list by each event. This would include showing the original event and all events that match with that event except for having the fields reversed. For example:

 

Foo Bar

 

Would be displayed along with all reverse matches represented by:

 

Bar Foo

 

 So if there were a thousand or so values, it would go down the list and find all reverse matches.

 

Foo Bar    |    Bar Foo
           |    Bar Foo
           |    Bar Foo
-----------------------------
Hello There|    There Hello
           |    There Hello
-----------------------------
Src Dst    |    Dst Src
           |    Dst Src
           |    Dst Src
           |    Dst Src

 

I am not sure where to go from here (https://wiki.splunk.com/Deploy:Combine_bi-directional_network_logs).

Using the example from this page, if I wanted to find bidirectional communications using these logs:

 

2007-09-14 10:54:58.130 0.896 TCP 216.129.82.250:2691 -> 209.104.58.141:80 3 144 1

2007-09-14 10:54:55.378 5.184 TCP 209.191.118.103:25 -> 209.104.37.200:26490 26 1453 1

 

I would want to search based on Source IP/Port and Destination IP/Port. I would be looking for matches based on those flipped values like:

 

<date> <time> <duration> <protocol> 209.104.58.141:80 -> 216.129.82.250:2691 <etc.>

<date> <time> <duration> <protocol> 209.104.37.200:26490 -> 209.191.118.103:25 <etc.>

 

Field names would be "src_ip", "src_port", "dst_ip", and "dst_port".

Labels (5)
0 Karma
Reply

saravanan90
Contributor
‎02-05-2021 11:18 PM

This may help...

base search  |stats count by src_ip src_port dst_ip dst_port
| eval src=(replace(src_ip,"\.","").src_port) | eval dst=(replace(dst_ip,"\.","").dst_port) | table src_ip, src, src_port,dst,dst_ip,dst_port
| eval commonid=if(src>dst, src.src_port.dst.dst_port, dst.dst_port.src.src_port)
| eventstats count by commonid
| where count > 1

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-05-2021 11:35 AM

Hi @zaludma,

Can you please show your query and its output that you want to find reverse matches? Are we talking specific fields/values?  

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

zaludma
Engager
‎02-05-2021 11:41 AM

@scelikok I will use the data from the link as an example. I am trying to find bidirectional netflow based on IPs and Ports. I will add examples to the post.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...