Could somebody assist with this query?

kelvinJE · ‎04-05-2018

Hi All

We're importing our WAF logs into Splunk, and I'd like to create a table to shows where traffic is originating, and how its being actioned. This can be generated from 2 fields -

Country - List of Countries
Action - What action was taken

The issue is, I want to use Action to generate the dynamic columns, and add a couple of additional data points, such as:

Country     Blocked     Allowed    Held          Total Requests     % Blocked
UK               10     80         10            100                10% 
IRE
IT

I managed to get a table based upon country and action using

 | chart count over country by action

and

 | chart count over action by country

But using this method, I don't think its possible to add the Totals Requests or the % blocked.

adonio · ‎04-05-2018

hello there,

maybe try something like this:

... | stats count as "Total" count(eval(action=="Allowed")) as Allowed count(eval(action=="Blocked")) as Blocked count(eval(action=="Held")) as Held by Country
| eval perc_blocked = round(Blocked/Total*100, 2)

hope it helps

elliotproebstel · ‎04-05-2018

Try this:

| chart count over country by action 
| addtotals fieldname="Total Requests"   
| eval "% Blocked"=tostring(round((blocked/'Total Requests'*100), 2))."%"

Could somebody assist with this query?

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability