@yuanliu , I tried the query you sent in addition to the one from @bowesmana . Yes, I got results. A table included. 1st question: since I have over 100 IPs, do I have to individually add them here like you mentioned below? | eval clientip = mvappend("10.12.143.5","192.168.5.250","172.0.58.52","192.168.5.13","10.12.6.8","10.12.143.82","192.168.5.2") This was my query with pseudo IPs | makeresults index=* sourcetype=* | eval clientip = mvappend("1.1.1.9","1.3.146.253","1.21.112.32","3.6.71.70") | mvexpand clientip | rex field=src_ip "(?<cidr_range>\d+\.\d+\.\d+)" | eval cidr_range=cidr_range.".1 - ".cidr_range.".255" | stats count by cidr_range, clientip | eventstats sum(count) as perc | eval percentage = round(count*100/perc,2) I get a table that looks like this cidr_range clientip count perc percentage 1.1.1.1- 1.1.1.255 1.1.1.9 1 4 25 1.3.146.1- 1.3.146.255 1.3.146.253 1 4 25 1.21.112.1 - 1.21.112.255 1.21.112.32 1 4 25 3.6.71.1 -3.6.71.255 3.6.71.70 1 4 25 But when I use this query index=* clientip="*" | stats count by clientip to see/get all the list and count of the IPs individually I get something roughly like this clientip count 1.1.1.9 800 1.3.146.253 75 1.21.112.32 44 3.6.71.70 52 In the logs, I have 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.5 with their respective counts. It would be nice since they are in the same range to have them counted together in one column. That is I was hoping I could get the appropriate count for IPs within a cidr_range that way I can have a concise table instead of individual IPs and their count. Considering that I need to have a percentage of each cidr_range.
... View more