Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I calculate field value percentages for multiple data sets?

andrewgbennett3
New Member
‎11-03-2017 05:38 AM

For the purpose of this question, a given event contains the following fields:
vulnerability name, data center, ip address

Events are generated on a vulnerability name basis, so that each event will have a unique vulnerability name but may have duplicate values as other events for ip address and data center. Each data center has a different number of ip addresses associated with it.

Goal:
Identify the count for 5 unique field values (vulnerability name) per data center. Calculate the percent of unique ip address field values per data center that also have one of the 5 specified vulnerability name field values.

Current search:

some search (vulnerability name=”vuln 1“ OR vulnerability name=”vuln 2“ OR vulnerability name=”vuln 3“ OR vulnerability name=”vuln 4“ OR vulnerability name=”vuln 5“) 
|stats count by Data Center,Vulnerability name

Current output:

Data Center     Vulnerability Name  Count

Data Center A       Vuln 1             75       
Data Center A       Vuln 3             20       
Data Center A       Vuln 4             6        
Data Center A       Vuln 5             15       
Data Center B       Vuln 2             75       
Data Center B       Vuln 5             18       
Data Center C      Vuln 3             24

The problem with my search at this point is that it eliminates any events that do not contain one of the 5 unique vulnerabilities. Therefore, I cannot reference the total number of IP addresses that may belong to a data center in order to calculate a percentage.

Desired Output:

Data Center     Vulnerability Name  Count       Vulnerable IP Addresses

Data Center A       Vuln 1             75            37%
Data Center A       Vuln 3             20            10%
Data Center A       Vuln 4             6              3%
Data Center A       Vuln 5             15            7%
Data Center B       Vuln 2             75            12%
Data Center B       Vuln 5             18            3%
Data Center C      Vuln 3             24             48%

Note: For this sample desired output, Data Center A has 200 IP addresses, B has 600, and C has 100.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-03-2017 07:46 AM

Give this a try

some search 
|stats count as Count by "Data Center","Vulnerability name"
| eventstats sum(Count) as Total by "Data Center"
| where 'Vulnerability name'="vuln 1" OR 'Vulnerability name'="vuln 2" OR 'Vulnerability name'="vuln 3" OR 'Vulnerability name'="vuln 4" OR 'Vulnerability name'="vuln 5"
| eval "Vulnerable IP Addresses"=round(Count*100/Total) | fields - Total

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-03-2017 07:46 AM

Give this a try

some search 
|stats count as Count by "Data Center","Vulnerability name"
| eventstats sum(Count) as Total by "Data Center"
| where 'Vulnerability name'="vuln 1" OR 'Vulnerability name'="vuln 2" OR 'Vulnerability name'="vuln 3" OR 'Vulnerability name'="vuln 4" OR 'Vulnerability name'="vuln 5"
| eval "Vulnerable IP Addresses"=round(Count*100/Total) | fields - Total
0 Karma
Reply
Solved! Jump to solution

andrewgbennett3
New Member
‎11-03-2017 08:17 AM

Thanks for the quick response! That search does provide the desired format. The only issue is the number of events being referenced for the "Total by Data Center"

The number of IP addresses and the number of events is not equal. Because events are created per vulnerability, there can be 20+ events per ip address. The eval references the "Total" which is based off of ALL events which causes the percentage to be inaccurate.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-03-2017 08:33 AM

So the percentage is calculated based on distinct IP addresses with that vulnerability? If yes, give this a shot

some search 
 |stats count as Count dc( by "Data Center","Vulnerability name" ip_address
 | eventstats dc(ip_address)  as TotalIP by "Data Center"
 | stats sum(Count) as Count max(TotalIP) as TotalIP dc(ip_address) as IPCount by "Data Center","Vulnerability name"
 | where 'Vulnerability name'="vuln 1" OR 'Vulnerability name'="vuln 2" OR 'Vulnerability name'="vuln 3" OR 'Vulnerability name'="vuln 4" OR 'Vulnerability name'="vuln 5"
 | eval "Vulnerable IP Addresses"=round(IPCount *100/TotalIP ) | fields - TotalIP IPCount
0 Karma
Reply
Solved! Jump to solution

andrewgbennett3
New Member
‎11-03-2017 11:20 AM

This works perfectly, thanks so much!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...