Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I calculate field value percentages for multiple data sets?

andrewgbennett3
New Member
‎11-03-2017 05:38 AM

For the purpose of this question, a given event contains the following fields:
vulnerability name, data center, ip address

Events are generated on a vulnerability name basis, so that each event will have a unique vulnerability name but may have duplicate values as other events for ip address and data center. Each data center has a different number of ip addresses associated with it.

Goal:
Identify the count for 5 unique field values (vulnerability name) per data center. Calculate the percent of unique ip address field values per data center that also have one of the 5 specified vulnerability name field values.

Current search:

some search (vulnerability name=”vuln 1“ OR vulnerability name=”vuln 2“ OR vulnerability name=”vuln 3“ OR vulnerability name=”vuln 4“ OR vulnerability name=”vuln 5“) 
|stats count by Data Center,Vulnerability name

Current output:

Data Center     Vulnerability Name  Count

Data Center A       Vuln 1             75       
Data Center A       Vuln 3             20       
Data Center A       Vuln 4             6        
Data Center A       Vuln 5             15       
Data Center B       Vuln 2             75       
Data Center B       Vuln 5             18       
Data Center C      Vuln 3             24

The problem with my search at this point is that it eliminates any events that do not contain one of the 5 unique vulnerabilities. Therefore, I cannot reference the total number of IP addresses that may belong to a data center in order to calculate a percentage.

Desired Output:

Data Center     Vulnerability Name  Count       Vulnerable IP Addresses

Data Center A       Vuln 1             75            37%
Data Center A       Vuln 3             20            10%
Data Center A       Vuln 4             6              3%
Data Center A       Vuln 5             15            7%
Data Center B       Vuln 2             75            12%
Data Center B       Vuln 5             18            3%
Data Center C      Vuln 3             24             48%

Note: For this sample desired output, Data Center A has 200 IP addresses, B has 600, and C has 100.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-03-2017 07:46 AM

Give this a try

some search 
|stats count as Count by "Data Center","Vulnerability name"
| eventstats sum(Count) as Total by "Data Center"
| where 'Vulnerability name'="vuln 1" OR 'Vulnerability name'="vuln 2" OR 'Vulnerability name'="vuln 3" OR 'Vulnerability name'="vuln 4" OR 'Vulnerability name'="vuln 5"
| eval "Vulnerable IP Addresses"=round(Count*100/Total) | fields - Total

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-03-2017 07:46 AM

Give this a try

some search 
|stats count as Count by "Data Center","Vulnerability name"
| eventstats sum(Count) as Total by "Data Center"
| where 'Vulnerability name'="vuln 1" OR 'Vulnerability name'="vuln 2" OR 'Vulnerability name'="vuln 3" OR 'Vulnerability name'="vuln 4" OR 'Vulnerability name'="vuln 5"
| eval "Vulnerable IP Addresses"=round(Count*100/Total) | fields - Total
0 Karma
Reply
Solved! Jump to solution

andrewgbennett3
New Member
‎11-03-2017 08:17 AM

Thanks for the quick response! That search does provide the desired format. The only issue is the number of events being referenced for the "Total by Data Center"

The number of IP addresses and the number of events is not equal. Because events are created per vulnerability, there can be 20+ events per ip address. The eval references the "Total" which is based off of ALL events which causes the percentage to be inaccurate.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-03-2017 08:33 AM

So the percentage is calculated based on distinct IP addresses with that vulnerability? If yes, give this a shot

some search 
 |stats count as Count dc( by "Data Center","Vulnerability name" ip_address
 | eventstats dc(ip_address)  as TotalIP by "Data Center"
 | stats sum(Count) as Count max(TotalIP) as TotalIP dc(ip_address) as IPCount by "Data Center","Vulnerability name"
 | where 'Vulnerability name'="vuln 1" OR 'Vulnerability name'="vuln 2" OR 'Vulnerability name'="vuln 3" OR 'Vulnerability name'="vuln 4" OR 'Vulnerability name'="vuln 5"
 | eval "Vulnerable IP Addresses"=round(IPCount *100/TotalIP ) | fields - TotalIP IPCount
0 Karma
Reply
Solved! Jump to solution

andrewgbennett3
New Member
‎11-03-2017 11:20 AM

This works perfectly, thanks so much!

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...