index=netflow
| lookup src.csv src_ip OUTPUT src_ip as lookup_src_ip
| where NOT (
cidrmatch("A1.B1.C1.D1/E1", dest_ip) OR
cidrmatch("A2.B2.C2.D2/E2", dest_ip) OR
...
cidrmatch("An.Bn.Cn.Dn/En", dest_ip)
)
| where isnotnull(lookup_src_ip) AND dest_ip != lookup_src_ip
| stats count as num_of_dest by dest_ip
| eventstats sum(num_of_dest) as total_dest
| eval percentage_of_dest=round(num_of_dest/total_dest*100, 2)
| where dest_ip IN ("IP1", "IP2", "IP3", "IP4", "IP5", "IP6")
| table dest_ip, num_of_dest, percentage_of_dest
Register as a new user and use Qiita more conveniently
- You get articles that match your needs
- You can efficiently read back useful information
- You can use dark theme