https://community.splunk.com/t5/Splunk-Search/Splunk-search-to-remove-duplicated-ips/m-p/626561#M217770 <P>Hi All,</P> <P>Greetings!</P> <P>Need help on splunk query,</P> <P>I have 2 indexes assets and vulns, am trying to build report to analyze percent % assets are not scanned, with below query am getting results percent, but some of the ip's are having duplicate entries which are showing as as scanned and not scanned for same ip, i need query to remove from SCANNED =0 if the same ip SCANNED=1, I tried using dedup but since its removing randomly so scanned ip's also getting removed.&nbsp;</P> <P>Please help me with correct query</P> <P>((index=index1 sourcetype=asset) OR&nbsp;(index=index1 sourcetype=vulns))<BR />| eval vuln=if('sourcetype'="vulns","yes","no")<BR />| eval assets=if('sourcetype'="asset","yes","no")<BR />| stats max(eval(if(vuln="yes",1,0))) AS SCANNED max(eval(if(assets="yes",1,0))) AS ASSETS latest(ip) as ip by uuid<BR />| search&nbsp;ASSETS=1<BR />| stats count(eval( SCANNED &gt; 0)) AS scanned, count(uuid) as total<BR />| eval percent = round((scanned/(total))*100,2)<BR /><BR />Result example</P> <TABLE width="187"> <TBODY> <TR> <TD width="57">scanned</TD> <TD width="53">ASSETS&nbsp;</TD> <TD width="77">ip</TD> </TR> <TR> <TD>0</TD> <TD>1</TD> <TD>192.168.1.1</TD> </TR> <TR> <TD>1</TD> <TD>1</TD> <TD>192.168.1.1</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Thanks!</P> Wed, 11 Jan 2023 17:12:24 GMT kpavan 2023-01-11T17:12:24Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-to-remove-duplicated-ips/m-p/626561#M217770 <P>Hi All,</P> <P>Greetings!</P> <P>Need help on splunk query,</P> <P>I have 2 indexes assets and vulns, am trying to build report to analyze percent % assets are not scanned, with below query am getting results percent, but some of the ip's are having duplicate entries which are showing as as scanned and not scanned for same ip, i need query to remove from SCANNED =0 if the same ip SCANNED=1, I tried using dedup but since its removing randomly so scanned ip's also getting removed.&nbsp;</P> <P>Please help me with correct query</P> <P>((index=index1 sourcetype=asset) OR&nbsp;(index=index1 sourcetype=vulns))<BR />| eval vuln=if('sourcetype'="vulns","yes","no")<BR />| eval assets=if('sourcetype'="asset","yes","no")<BR />| stats max(eval(if(vuln="yes",1,0))) AS SCANNED max(eval(if(assets="yes",1,0))) AS ASSETS latest(ip) as ip by uuid<BR />| search&nbsp;ASSETS=1<BR />| stats count(eval( SCANNED &gt; 0)) AS scanned, count(uuid) as total<BR />| eval percent = round((scanned/(total))*100,2)<BR /><BR />Result example</P> <TABLE width="187"> <TBODY> <TR> <TD width="57">scanned</TD> <TD width="53">ASSETS&nbsp;</TD> <TD width="77">ip</TD> </TR> <TR> <TD>0</TD> <TD>1</TD> <TD>192.168.1.1</TD> </TR> <TR> <TD>1</TD> <TD>1</TD> <TD>192.168.1.1</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Thanks!</P> Wed, 11 Jan 2023 17:12:24 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-to-remove-duplicated-ips/m-p/626561#M217770 kpavan 2023-01-11T17:12:24Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-to-remove-duplicated-ips/m-p/626576#M217778 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/49826">@kpavan</a>,</P><P>please try this:</P><LI-CODE lang="markup">((index=index1 sourcetype=asset) OR (index=index1 sourcetype=vulns)) | stats count(eval(if(sourcetype="vulnes",1,0))) AS SCANNED count(eval(if(sourcetype="asset",1,0))) AS ASSETS count AS total BY ip | where ASSETS&gt;0 | eval percent = round((SCANNED /(total))*100,2)</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 10 Jan 2023 12:13:41 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-to-remove-duplicated-ips/m-p/626576#M217778 gcusello 2023-01-10T12:13:41Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-to-remove-duplicated-ips/m-p/626584#M217781 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>,</P><P>Thanks for the response!</P><P>I tried with your query, since uuid is the unique identifier and ip's are overlap with different network ranges. So if I use stats by ip the % are dropping from actual percent when do manual calculation.</P><P>So I wanted to remove ip's where it was already mentioned as scanned.</P> Tue, 10 Jan 2023 13:01:05 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-to-remove-duplicated-ips/m-p/626584#M217781 kpavan 2023-01-10T13:01:05Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-to-remove-duplicated-ips/m-p/626590#M217784 <P>HI&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/49826">@kpavan</a>,</P><P>you must use uuid as identifier, could you have more IPs for the same IP?</P><P>if yes, how do you want to manage this situation?</P><P>maybe you could try something like this:</P><LI-CODE lang="markup">((index=index1 sourcetype=asset) OR (index=index1 sourcetype=vulns)) | stats count(eval(if(sourcetype="vulnes",1,0))) AS SCANNED count(eval(if(sourcetype="asset",1,0))) AS ASSETS values(ip) AS ip count AS total BY uuid | mvexpand ip | stats max(SCANNED) AS SCANNED max(ASSETS) AS ASSETS max(total) AS total BY ip | where ASSETS&gt;0 | eval percent = round((SCANNED /(total))*100,2)</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 10 Jan 2023 13:20:19 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-to-remove-duplicated-ips/m-p/626590#M217784 gcusello 2023-01-10T13:20:19Z