index=main sourcetype=email address=* | eval domain=case(address LIKE "%gmail.com", "GMAIL", address LIKE "%yahoo.com", "YAHOO",address LIKE "%hotmail.com","HOTMAIL") | stats count by domain
(% is the wildcard)
There are many ways to do this so I hope other folks add their examples.
For completeness here's another way to achieve this:
index=* address=* | eval x=split(address, "@") | eval domain=mvindex(x,1)
Not sure which solution is faster though
You could also use rex on your email address field to capture domain in a separate field. This way you do not have to list out all possible domain cases in an eval statement.
For example:
index=<your index> sourcetype=<your sourcetype> | rex field=<email_address_field> "\w+@(?<domain>\w+)\.\w+" | ...
This captures your domains in a separate field (domain). Hope this helps.
index=main sourcetype=email address=* | eval domain=case(address LIKE "%gmail.com", "GMAIL", address LIKE "%yahoo.com", "YAHOO",address LIKE "%hotmail.com","HOTMAIL") | stats count by domain
(% is the wildcard)
There are many ways to do this so I hope other folks add their examples.