Thank you for your response. My superior took over the task ... View more

Thank you so much. The feedback from @yuanliu  regarding getting the total was very helpful, and so was the link. ... View more

@johnhuang , Thank you so much for your response. I tried the top query. It did return events and tables but it gave me values more smaller in number. With the other query, I got no results in statistics but some values in the Events. ... View more

@yuanliu , Yes your speculation is 100% spot on. Exactly what I needed.  It worked. Thank you so much. The other challenge I had was that I had to use a calculator to calculate the total percentage of the ips as I wasn't sure the extra query to use. Example if ip.a-ip.e were 10.01, 2.05, 16.82, 11.97. 11.11 I manually calculated it to get a total sum of 59.96. I don't know if there could be another line of query to add to give that 59.96 instead of calculating it manually. However, I am super excited it worked and gave me the result I anticipated. ... View more

@PickleRick , Thank you so much for your detailed explanation. I understood it differently before now but your explanation made a huge difference.  ... View more

@yuanliu , Yes it was an error on my part and I sincerely apologize for that. Thanks for letting me know. Let me rewrite it | Mybase query | search ip IN ("ip.a", "ip.b", "ip.c", ip.d, "ip.e") | stats count by ip | eventstats sum(sum) as perc | eval percentage= round(count*100/perc,2) | fields - perc It gives me a table like this (these are rough values but this is the way the table looks.) ip Count Percentage ip.a 52 37.11 ip.b 35 26.12 ip.c 22 18.13 ip.d 44 15.16 ip.e 11 3.48 The Total percentage =100%. But when I use this query | My base query ip=* | stats count by ip | eventstats sum(sum) as perc | eval percentage= round(count*100/perc,2) | fields - perc I get about 5 pages of all the list of the ip addresses and their respective percentages including the ip.a to ip.e in a table which all together totals 100% but the percentages of ip.a to ip.e changes completely. The 5 ip addresses shouldn't give me a 100%. Right? It should a percentage fraction of the whole.   ... View more

I used these 2 queries below. Both gave me results (events and statistics) although a slight difference in values.  index=* sourcetype=* | rex field=clientip "(?<ip_subnet>\d+\.\d+\.\d+)" | eval ip_subnet_range=".0 - ".ip_subnet.".255" | eval ip_subnet=ip_subnet.".0/24" | stats count by ip_subnet | eventstats sum(count) as perc | eval percentage =round(count*100/perc,2) And  index=* sourcetype=* | rex field=clientip "(?<cidr_range>\d+\.\d+\.\d+)" | eval cidr_range=cidr_range.".0 - ".cidr_range.".255" | stats count by cidr_range | eventstats sum(count) as perc | eval percentage = round(count*100/perc,2) Thank you so much to  @bowesmana , @johnhuang , @yuanliu . I really appreciate all your help. ... View more

@johnhuang , yes it's  the correct fieldname. ... View more

@yuanliu , I tried the query you sent in addition to  the one from @bowesmana . Yes, I got results. A table included. 1st question: since I have over 100 IPs, do I have to individually add them here like you mentioned below? | eval clientip = mvappend("10.12.143.5","192.168.5.250","172.0.58.52","192.168.5.13","10.12.6.8","10.12.143.82","192.168.5.2") This was my query with pseudo IPs | makeresults index=* sourcetype=* | eval clientip = mvappend("1.1.1.9","1.3.146.253","1.21.112.32","3.6.71.70") | mvexpand clientip | rex field=src_ip "(?<cidr_range>\d+\.\d+\.\d+)" | eval cidr_range=cidr_range.".1 - ".cidr_range.".255" | stats count by cidr_range, clientip | eventstats sum(count) as perc | eval percentage = round(count*100/perc,2) I get a table that looks like this cidr_range clientip count perc percentage 1.1.1.1- 1.1.1.255 1.1.1.9 1 4 25 1.3.146.1- 1.3.146.255 1.3.146.253 1 4 25 1.21.112.1 - 1.21.112.255 1.21.112.32 1 4 25 3.6.71.1 -3.6.71.255 3.6.71.70 1 4 25 But when I use this query index=* clientip="*" | stats count by clientip to see/get all the list and count of the IPs individually I get something  roughly like this clientip count 1.1.1.9 800 1.3.146.253 75 1.21.112.32 44 3.6.71.70 52 In the logs, I have 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.5 with their respective counts. It would be nice since they are in the same range to have them counted together in one column. That is I was hoping I could get the appropriate count for IPs within a cidr_range that way I can have a concise table instead of individual IPs and their count. Considering that I need to have a percentage of each cidr_range. ... View more

@yuanliu, Thanks for your post. I got an error message in the eval command and no results.  ... View more

@bowesmana , Thank you for responding. It still yielded individual IPs and no table.  ... View more

@johnhuang , Thanks for your response. For some reasons, I couldn't get statistics values or in tabular form. I did get events and it still gave me individual IPs. I am not sure what I did wrong. ... View more

@johnhuang Thank you for you help. The Query from @bowesmana worked. ... View more

@bowesmana Yes, the query you sent worked. Thank you so much. ... View more

Yes it is ... View more

@johnhuang failure, delivered, blocked ... View more

@johnhuang , with this  index=[index name] sourcetype=[sourcetypename] httpmethod=* status code=* | values(action) AS action I got nothing.  Did you mean this below?: index=[index name] sourcetype=[sourcetypename] httpmethod=* status code=* | stats values(action) AS action With the latter, I got a list of the actions in a table. ... View more

@bowesmana  Thank you for your response. I got some results with the queries you posted. However, it did not yield the result I anticipated. For example, when I just tried this below: index=[index name] sourcetype=[sourcetypename] httpmethod=* status code=* | stats count by src_ip I got in a tabular form src_ip, httpmethod, status code and the count for each IP. I was hoping to have a search that will yield on each IP the number of 400s, 200s and each count. That way I don't have to do a search differently for each IP in the table looking for their respective counts of 400s and 200s. ... View more

@johnhuang , Thank you for your response. I tried it, but no result came up. Do you have any other advice you might give? ... View more