Hi, You can try to use some simple search like: index=NETWORK_INDEX src_ip=10.0.0.0/8 AND (dest_ip=47.114.37.0/24 OR dest_ip=49.85.84.0/24 OR dest_ip=61.111.20.129/32 OR dest_ip=62.217.245.69/32 OR dest_ip=109.166.202.229/32)
| stats count by src_ip, dest_ip Or using Network Traffic data model: | from datamodel:Network_Traffic.All_Traffic
| search src_ip=10.0.0.0/8 AND (dest_ip=47.114.37.0/24 OR dest_ip=49.85.84.0/24 OR dest_ip=61.111.20.129/32 OR dest_ip=62.217.245.69/32 OR dest_ip=109.166.202.229/32)
| stats count by src_ip, dest_ip A best approach you can use is using lookups. If you have a lookup table with fields similar to IP and STATUS, It is possible to create a lookup definition. Supposing you have the lookup below, you can create a lookup definition named ip_blacklist: ip,status
47.114.37.0/24,blacklist
49.85.84.0/24,blacklist
61.111.20.129/32,blacklist
62.217.245.69/32,blacklist
109.166.202.229/32,blacklist After that, you can use the lookup and its fields in your search: index=NETWORK_INDEX src_ip=10.0.0.0/8
| lookup ip_blacklist ip as dest_ip OUTPUT status
| where status="blacklist"
| stats count by src_ip, dest_ip Or using Network Traffic data model: | from datamodel:Network_Traffic.All_Traffic
| search src_ip=10.0.0.0/8
| lookup ip_blacklist ip as dest_ip OUTPUT status
| where status="blacklist"
| stats count by src_ip, dest_ip
... View more