Good Day!
Given the following data...
src | dst |
1.2.3.4 | 9.8.7.6 |
1.2.3.4 | 9.8.7.6 |
1.2.3.4 | 9.8.7.6 |
4.3.2.1 | 6.7.8.9 |
1.2.3.4 | 5.6.7.8 |
I'd like to display a table showing the percentage of events by src and then breakdown this further by displaying the percentage of total events by src-dst pair...
The results would like like...
src | src % | dst - dst % |
1.2.3.4 | 80% | 9.8.7.6 60% |
5.6.7.8 20% | ||
4.3.2.1 | 20% | 6.7.8.9 20% |
Any help would me much appreciated.
Thanks.
Hi Splunkhelp (...if indeed that is your real name!...)
So I got bored and wrote what is probably an inefficient search that someone else is more than welcome to improve upon. After putting your table into a CSV file called ip_report.csv
, I was able to get the following table:
With the following (ugly, ugly) search:
| inputlookup ip_report.csv
| top src, dst
| rename percent AS dst_perc
| join src [
| inputlookup ip_report.csv
| top src
| rename percent AS src_perc ]
| fields src, src_perc, dst, dst_perc
| sort src
If you replace the "|inputlookup ip_report.csv
" with your base search, it will hopefully give you what you're looking for 🙂
However I know a better way to do this exists...