When I do this search, I get 17 results back:
index=hubtracking | where like(sender_address, "%@gmail.com")
I want to put this into a field, that counts the number of emails coming from gmail.com. So I try to do this:
index=hubtracking | stats count(where like(sender_address, "%@gmail.com")) as GmailCount
But the above search returns 0 results! What am I doing wrong?
Ultimately, what I want to do is have a count of the number of emails coming from or going to gmail.com (by request from our IT Security Department). I would think that I do this...am I on the right track? Please help.
index=hubtracking | stats count(where like(sender_address, "%@gmail.com") OR like(recipient_address) as GmailCount
where command may be overkill here, since you can simply do:
which has 17 results, or:
index=hubtracking sender_address="*@gmail.com" | stats count
which has only 1 result, with a
count field, whose value is
3) You probably want to extract the email domain as it's own field though, either with a field extraction or simply with the
Here's a quick example using the
rex command to extract an email_domain field from the sender_address field. With that field I then build a simple report of all the outside domains.:
index=hubtracking NOT send_address="*@actualcompany.com" | rex field=sender_address"(?<email_username>[^@]+)?@(?<email_domain>.+)"` | stats count by email_domain
Great thanks, this helped me to figure out:
rex field=senderaddress ".[^@]+?@(?<senderdomain>.+)"
Which allows me to do further filtering on just the information I needed in that field.