I have a search "host=192.168.68.0/23|table host |dedup host" that gives me a list of IP addresses. I would like to turn this into a dashboard item that will report the total number of hosts in this network. How can I do that?
The classic way:
host=192.168.68.0/23 | stats dc(host) as host_count
A bit more advanced (and faster):
| tstats dc(host) as host_count where index=<your_index> sourcetype=<your_sourcetype> host=192.168.68.0/23
If you are looking for just count, this should work
<your search>|stats count by host|fields count
Actually if you want only the count of the number of hosts, you would have to do:
<your search> |stats count by host | stats count
@AJeepDude, I am not sure how your query is working. In the base search you have filtered only one host then table host should give you only one result. Can you provide the index or sourcetype for your base search?
If you have to find the total number of hosts, you should better try dbinspect which gives hostCount or metadata or tstats command specifically for such statistics. Read the documentation and based on your needs coming up with desired query should be easy.
The search is not filtering to one host, it is a CIDR Notation.
Splunk handles CIDR notations.
All hosts with an IP address in the 192.168.68.0/23 (512 possibilities here) network should be returned!