How do I split out a result So that I have a count...

faceplate23 · ‎10-08-2015

here is what I am trying to do I have a bunch of IP address's
Source Count
10.150.1.181 19984
10.150.2.108 18314
10.150.2.178 15660
10.150.1.108 7045
10.150.1.98 3709
10.152.1.57 2422
10.1.90.70 1946
10.1.30.70 1660
10.150.1.15 1592
10.150.1.161 1395
10.1.10.51 1276
10.150.2.82 1003
10.1.12.46 947
10.150.1.77 780
10.5.10.46 730
10.150.1.14 704
10.150.1.63 629
10.150.1.88 610
10.150.1.81 577
10.1.70.69 569
10.150.2.35 531
10.1.120.39 464

And I would like to see that percentage of my IP addresses come from 10.150 and what percentage does not. So I would like to see
Vlan150 70%
other 30%

Any help would be appreciated

somesoni2 · ‎10-08-2015

Try something like this

your current search giving Source Count | eval Source=if(like(Source,"10.150.%"),"VLAN 150","Others") | stats sum(Count) as Count by Source | eventstats sum(Count) as Total | eval Perc=round(Count*100/Total,2) | table Source Perc

mattrkeen · ‎10-08-2015

| eval network=if(cidrmatch("10.150.0.0/16",Source), "Vlan150", "Other") | top network limit=0

This is great way to separate out events based on a network and is documented in the splunk eval command at the below link.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval

woodcock · ‎10-08-2015

Like this:

... | stats count count(eval(source=10.150.*)) AS Vlan | eval Vlan = 100(Vlan/count) | eval other = 100-Vlan

How do I split out a result So that I have a count of True and False

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Are you a member of the Splunk Community?

How do I split out a result So that I have a count of True and False

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside