When using this search i get the desired output but it seems like alot more work then it should be. Are there easier ways to do this?
sourcetype="bro_conn" src_ip=192.168.0.0/16 OR src_ip=172.16.0.0/12 OR src_ip=10.0.0.0/8 | stats count by src_ip | table src_ip | eval temp=split(src_ip,".") | eval oct1=mvindex(temp,0) | eval oct2=mvindex(temp,1) | eval oct3=mvindex(temp,2) | stats count by oct1,oct2,oct3 | eval VLANS=oct1.".".oct2.".".oct3 | table VLANS, count | rename count as "Devices on VLAN"
... View more