You would need to make an inventory of all your devices. Store it in a CSV file like this
device,ip,country,latitude,longitude
www1,10.10.2.101,US,33.8090,-117.9190
www2,10.20.2.102,France,48.8687,2.7818
I added the lat/lon just for fun, but you don't need it. Use this CSV file to create a lookup table: Use field lookups...
If you do this, then you could run this search (if you named the lookup "device_lookup"):
index=_internal sourcetype="splunkd" group=tcpin_connections
| dedup sourceHost
| lookup device_lookup device as sourceHost
| stats count by hostname, sourceHost, fwdType, guid, os, arch, country
Or
index=_internal sourcetype="splunkd" group=tcpin_connections
| eval sourceHost=coalesce(hostname, sourceHost)
| lookup device_lookup device as sourceHost
| stats sum(kb) as total_KB by sourceHost, fwdType, guid, os, arch
Or even
index=_internal sourcetype="splunkd" group=tcpin_connections
| eval sourceHost=coalesce(hostname, sourceHost)
| lookup device_lookup device as sourceHost
| geostats latfield=latitude longfield=longitude sum(kb) as total_KB by sourceHost
... View more