Getting Data In

How do I split out a result So that I have a count of True and False

faceplate23
New Member

here is what I am trying to do I have a bunch of IP address's
Source Count
10.150.1.181 19984
10.150.2.108 18314
10.150.2.178 15660
10.150.1.108 7045
10.150.1.98 3709
10.152.1.57 2422
10.1.90.70 1946
10.1.30.70 1660
10.150.1.15 1592
10.150.1.161 1395
10.1.10.51 1276
10.150.2.82 1003
10.1.12.46 947
10.150.1.77 780
10.5.10.46 730
10.150.1.14 704
10.150.1.63 629
10.150.1.88 610
10.150.1.81 577
10.1.70.69 569
10.150.2.35 531
10.1.120.39 464

And I would like to see that percentage of my IP addresses come from 10.150 and what percentage does not. So I would like to see
Vlan150 70%
other 30%

Any help would be appreciated

0 Karma

somesoni2
Revered Legend

Try something like this

your current search giving Source Count | eval Source=if(like(Source,"10.150.%"),"VLAN 150","Others") | stats sum(Count) as Count by Source | eventstats sum(Count) as Total | eval Perc=round(Count*100/Total,2) | table Source Perc
0 Karma

mattrkeen
New Member
| eval network=if(cidrmatch("10.150.0.0/16",Source), "Vlan150", "Other") | top network limit=0

This is great way to separate out events based on a network and is documented in the splunk eval command at the below link.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval

0 Karma

woodcock
Esteemed Legend

Like this:

... | stats count count(eval(source=10.150.*)) AS Vlan | eval Vlan = 100(Vlan/count) | eval other = 100-Vlan
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...