Splunk Search

Finding a percentage for every value in another field

stakor
Path Finder

I am looking for source IPs that have a high percentage of being blocked. The evaluations below work fine if I use just one source IP. But I want to test multiple source IPs, and am not sure how to cycle through them. I know that Splunk has a foreach command. I am not sure how to cycle the testing SPL into the 'foreach loop'. (Or how to refer to the src variable for purposes of getting a total count.)

<Network_Search>  (src="1.1.1.1" OR src="1.1.1.2")
| stats count(eval(src="")) as totalCount,count(eval(result="blocked")) as blocked
| eval blockedPercent=blocked/totalCount*100
| where blockedPercent>50
| table src, blockedPercent

Anyone good at nesting this type of search?

I did find:
https://answers.splunk.com/answers/298931/how-to-calculate-percentage-for-each-category.html

But when I use:

<Network_Search>  (src="1.1.1.1" OR src="1.1.1.2")
| eventstats count(src) as total |stats count(eval(result="blocked")) as count by src |eval percent=round(count/total*100,2) 
| table src,percent

I get a blank percentage. Not sure if I should stick with event stats, or try a foreach...

0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

<Network_Search>
| stats count AS totalCount count(eval(result="blocked")) AS blockedCount BY src
| eval blockedPercent=round(100*blockedCount/totalCount, 2)
| search blockedPercent>50
| table src, blockedPercent

View solution in original post

woodcock
Esteemed Legend

Like this:

<Network_Search>
| stats count AS totalCount count(eval(result="blocked")) AS blockedCount BY src
| eval blockedPercent=round(100*blockedCount/totalCount, 2)
| search blockedPercent>50
| table src, blockedPercent
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...