Alright. My current query looks something like this:
sourcetype=email action=accept ip=127.0.0.1 | stats count(subject), dc(recipients) by ip, subject
And this produces output like the following:
ip subject count dc(recipients)
127.0.0.1 email1 10 10
127.0.0.1 email2 5 2
127.0.0.1 email3 1 1
How would I query this instead so I can group those results together by IP so I'd be looking at a format like this?
ip subject count dc(recipients)
127.0.0.1 email1 10 10
email2 5 2
email3 1 1
I haven't figured out a query yet that will let me group by IP while still getting a count for each subject value, and a distinct count for the number of recipients for each subject value.
Try this,
sourcetype=email action=accept ip=127.0.0.1 | stats count(subject) as count, dc(recipients) as recipients by ip, subject | stats list(subject) as subject , list(count) as count, list(recipients) as recipients by ip
Try this,
sourcetype=email action=accept ip=127.0.0.1 | stats count(subject) as count, dc(recipients) as recipients by ip, subject | stats list(subject) as subject , list(count) as count, list(recipients) as recipients by ip
Beautiful solution. Thanks for providing. Found this independently 2 yrs after you posted it.
Awesome! This does exactly what I need it to. Thanks!