Is it possible to match IP address range in tstats where clause?
It's possible to do this with search+stats:
index=test IP="10.1.1.0/25" | stats count by IP
But since we have IP extracted at index time, I'd rather take advantage of tstats performance and run something like
| tstats count where index=test IP="10.1.1.0/25" by IP
but that doesn't work as expected - tstats matches any IP as if the filter was IP="*"
I think that you already used the tscollect (eg.g. in test_stats) command before use tstats, something like this
index=test earliest=-30d latest=now | table _time IP field1 field2 field3 ... | tscollect test_stats
so the command could be:
| tstats count FROM tests_stats GROUPBY IP
I downvoted this post because:
Sorry, can't accept. your reply doesn't answer my question:
1. your assumption that I've used '| tscollect' is incorrect
2. '| tstats ... ' you proposed misses the point of returning only ips in a specific range
Actually, natural CIDR filters work in
| tstats count FROM datamodel=Network_Traffic WHERE index=* AND All_Traffic.src="10.0.0.0/8"
| tstats count WHERE index=* AND host="10.0.0.0/8"
This has been in Splunk for a long time, but maybe not always. It works in all versions of 7.*