https://community.splunk.com/t5/Splunk-Search/Finding-a-percentage-for-every-value-in-another-field/m-p/308390#M92504 <P>I am looking for source IPs that have a high percentage of being blocked. The evaluations below work fine if I use just one source IP. But I want to test multiple source IPs, and am not sure how to cycle through them. I know that Splunk has a foreach command. I am not sure how to cycle the testing SPL into the 'foreach loop'. (Or how to refer to the src variable for purposes of getting a total count.)</P> <PRE><CODE>&lt;Network_Search&gt; (src="1.1.1.1" OR src="1.1.1.2") | stats count(eval(src="")) as totalCount,count(eval(result="blocked")) as blocked | eval blockedPercent=blocked/totalCount*100 | where blockedPercent&gt;50 | table src, blockedPercent </CODE></PRE> <P>Anyone good at nesting this type of search?</P> <P>I did find:<BR /> <A href="https://answers.splunk.com/answers/298931/how-to-calculate-percentage-for-each-category.html">https://answers.splunk.com/answers/298931/how-to-calculate-percentage-for-each-category.html</A></P> <P>But when I use:</P> <PRE><CODE>&lt;Network_Search&gt; (src="1.1.1.1" OR src="1.1.1.2") | eventstats count(src) as total |stats count(eval(result="blocked")) as count by src |eval percent=round(count/total*100,2) | table src,percent </CODE></PRE> <P>I get a blank percentage. Not sure if I should stick with event stats, or try a foreach...</P> Sun, 02 Apr 2017 01:14:43 GMT stakor 2017-04-02T01:14:43Z https://community.splunk.com/t5/Splunk-Search/Finding-a-percentage-for-every-value-in-another-field/m-p/308390#M92504 <P>I am looking for source IPs that have a high percentage of being blocked. The evaluations below work fine if I use just one source IP. But I want to test multiple source IPs, and am not sure how to cycle through them. I know that Splunk has a foreach command. I am not sure how to cycle the testing SPL into the 'foreach loop'. (Or how to refer to the src variable for purposes of getting a total count.)</P> <PRE><CODE>&lt;Network_Search&gt; (src="1.1.1.1" OR src="1.1.1.2") | stats count(eval(src="")) as totalCount,count(eval(result="blocked")) as blocked | eval blockedPercent=blocked/totalCount*100 | where blockedPercent&gt;50 | table src, blockedPercent </CODE></PRE> <P>Anyone good at nesting this type of search?</P> <P>I did find:<BR /> <A href="https://answers.splunk.com/answers/298931/how-to-calculate-percentage-for-each-category.html">https://answers.splunk.com/answers/298931/how-to-calculate-percentage-for-each-category.html</A></P> <P>But when I use:</P> <PRE><CODE>&lt;Network_Search&gt; (src="1.1.1.1" OR src="1.1.1.2") | eventstats count(src) as total |stats count(eval(result="blocked")) as count by src |eval percent=round(count/total*100,2) | table src,percent </CODE></PRE> <P>I get a blank percentage. Not sure if I should stick with event stats, or try a foreach...</P> Sun, 02 Apr 2017 01:14:43 GMT https://community.splunk.com/t5/Splunk-Search/Finding-a-percentage-for-every-value-in-another-field/m-p/308390#M92504 stakor 2017-04-02T01:14:43Z https://community.splunk.com/t5/Splunk-Search/Finding-a-percentage-for-every-value-in-another-field/m-p/308391#M92505 <P>Like this:</P> <PRE><CODE>&lt;Network_Search&gt; | stats count AS totalCount count(eval(result="blocked")) AS blockedCount BY src | eval blockedPercent=round(100*blockedCount/totalCount, 2) | search blockedPercent&gt;50 | table src, blockedPercent </CODE></PRE> Sun, 02 Apr 2017 02:33:42 GMT https://community.splunk.com/t5/Splunk-Search/Finding-a-percentage-for-every-value-in-another-field/m-p/308391#M92505 woodcock 2017-04-02T02:33:42Z