Hi All
We're importing our WAF logs into Splunk, and I'd like to create a table to shows where traffic is originating, and how its being actioned. This can be generated from 2 fields -
Country - List of Countries
Action - What action was taken
The issue is, I want to use Action to generate the dynamic columns, and add a couple of additional data points, such as:
Country Blocked Allowed Held Total Requests % Blocked
UK 10 80 10 100 10%
IRE
IT
I managed to get a table based upon country and action using
| chart count over country by action
and
| chart count over action by country
But using this method, I don't think its possible to add the Totals Requests or the % blocked.
hello there,
maybe try something like this:
... | stats count as "Total" count(eval(action=="Allowed")) as Allowed count(eval(action=="Blocked")) as Blocked count(eval(action=="Held")) as Held by Country
| eval perc_blocked = round(Blocked/Total*100, 2)
hope it helps
Try this:
| chart count over country by action
| addtotals fieldname="Total Requests"
| eval "% Blocked"=tostring(round((blocked/'Total Requests'*100), 2))."%"