https://community.splunk.com/t5/Splunk-Search/What-stats-eval-to-use-to-find-results-of-email-recipients-who/m-p/634610#M220469 <P>Assuming your recipient field is called recipient, try something like this</P><LI-CODE lang="markup">| stats earliest(time) AS First_Seen, latest(time) AS Last_Seen count(eval(eventType="clicksPermitted")) AS Clicks_Permitted, count(eval(eventType="clicksBlocked")) AS Clicks_Blocked, values(eval(if(eventType=="clicksPermitted",recipient,null()))) as recipients values(threatURL) AS TAP_Link BY sender, classification, url</LI-CODE> Wed, 15 Mar 2023 15:24:26 GMT ITWhisperer 2023-03-15T15:24:26Z https://community.splunk.com/t5/Splunk-Search/What-stats-eval-to-use-to-find-results-of-email-recipients-who/m-p/634609#M220468 <P>Hello,</P> <P>I'm building a report to list all phishing and malware threat detections by sender, classification, and threat url. The data contains two types of events "clicksAllowed" and "clicksBlocked". I want to add a list of recipients if their click was allowed "clicksAllowed" and I'm struggling with how to structure my query. I'm currently trying to do this with stats and eval (I thought about using subsearch too maybe), hopefully, I'm on the right track but I can't figure out how to show only the recipients who clicked while still showing counts of how many clicks were allowed and blocked.</P> <P>Current search (without who clicked):</P> <P>index=tap sourcetype="pp_tap_siem" classification IN (phish, malware) threatStatus=active<BR />| eval time=strftime(_time,"%m/%d/%y @ %H:%M:%S")<BR />| stats earliest(time) AS First_Seen, latest(time) AS Last_Seen count(eval(eventType="clicksPermitted")) AS Clicks_Permitted, count(eval(eventType="clicksBlocked")) AS Clicks_Blocked, values(threatURL) AS TAP_Link BY sender, classification, url<BR />| table First_Seen, Last_Seen, classification, sender, Clicks_Permitted, Clicks_Blocked, AT_Risk_Users, url, TAP_Link<BR />| sort -Last_Seen</P> <P>Output looks like:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="11.11111111111111%">First_Seen</TD> <TD width="11.11111111111111%">Last_Seen</TD> <TD width="11.11111111111111%">classification</TD> <TD width="5.426900584795321%">sender</TD> <TD width="16.795321637426902%">Clicks_Permitted</TD> <TD width="11.11111111111111%">Clicks_Blocked</TD> <TD width="11.11111111111111%">&nbsp;AT_Risk_Users</TD> <TD width="11.11111111111111%">url</TD> <TD width="11.11111111111111%">TAP_Link</TD> </TR> <TR> <TD width="11.11111111111111%"><SPAN>03/14/23 @ 17:52:36</SPAN></TD> <TD width="11.11111111111111%"><SPAN>03/14/23 @ 17:52:36</SPAN></TD> <TD width="11.11111111111111%"><SPAN>phish</SPAN></TD> <TD width="5.426900584795321%">badguy@domain.com</TD> <TD width="16.795321637426902%">1</TD> <TD width="11.11111111111111%">1</TD> <TD width="11.11111111111111%">list of 1 person here</TD> <TD width="11.11111111111111%">hxxp://baddomain.com</TD> <TD width="11.11111111111111%">hxxp://link_tothreatintel_webportal.com/uniqueguid</TD> </TR> <TR> <TD width="11.11111111111111%"><SPAN>01/05/23 @ 12:34:44</SPAN></TD> <TD width="11.11111111111111%"><SPAN>01/05/23 @ 17:44:41</SPAN></TD> <TD width="11.11111111111111%"><SPAN>phish</SPAN></TD> <TD width="5.426900584795321%">badguy2@domain.com</TD> <TD width="16.795321637426902%">39</TD> <TD width="11.11111111111111%">3</TD> <TD width="11.11111111111111%">list of 39 people here</TD> <TD width="11.11111111111111%">hxxp://baddomain2.com</TD> <TD width="11.11111111111111%">hxxp://link_tothreatintel_webportal.com/uniqueguid</TD> </TR> <TR> <TD width="11.11111111111111%"><SPAN>01/18/23 @ 15:43:20</SPAN></TD> <TD width="11.11111111111111%"><SPAN>02/16/23 @ 22:46:19</SPAN></TD> <TD width="11.11111111111111%">malware</TD> <TD width="5.426900584795321%">badguy3@domain.com</TD> <TD width="16.795321637426902%">4</TD> <TD width="11.11111111111111%">0</TD> <TD width="11.11111111111111%">list of 4 people here</TD> <TD width="11.11111111111111%">hxxp://baddomain.com</TD> <TD width="11.11111111111111%">hxxp://link_tothreatintel_webportal.com/uniqueguid</TD> </TR> </TBODY> </TABLE> Wed, 15 Mar 2023 18:28:48 GMT https://community.splunk.com/t5/Splunk-Search/What-stats-eval-to-use-to-find-results-of-email-recipients-who/m-p/634609#M220468 0p3r4t0r8089 2023-03-15T18:28:48Z https://community.splunk.com/t5/Splunk-Search/What-stats-eval-to-use-to-find-results-of-email-recipients-who/m-p/634610#M220469 <P>Assuming your recipient field is called recipient, try something like this</P><LI-CODE lang="markup">| stats earliest(time) AS First_Seen, latest(time) AS Last_Seen count(eval(eventType="clicksPermitted")) AS Clicks_Permitted, count(eval(eventType="clicksBlocked")) AS Clicks_Blocked, values(eval(if(eventType=="clicksPermitted",recipient,null()))) as recipients values(threatURL) AS TAP_Link BY sender, classification, url</LI-CODE> Wed, 15 Mar 2023 15:24:26 GMT https://community.splunk.com/t5/Splunk-Search/What-stats-eval-to-use-to-find-results-of-email-recipients-who/m-p/634610#M220469 ITWhisperer 2023-03-15T15:24:26Z https://community.splunk.com/t5/Splunk-Search/What-stats-eval-to-use-to-find-results-of-email-recipients-who/m-p/634621#M220476 <P>Thanks,&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;! That's exactly what I needed!</P> Wed, 15 Mar 2023 16:31:10 GMT https://community.splunk.com/t5/Splunk-Search/What-stats-eval-to-use-to-find-results-of-email-recipients-who/m-p/634621#M220476 0p3r4t0r8089 2023-03-15T16:31:10Z