Hi guys,
This little (?) thing's has been wrecking my head all weekend. I'm trying to merge 2 stats commands, or somehow make my search look neater.
I want to see the number of emails sent to a specific person, but some of the events are showing up as 1, despite having few recipients.
The only way i can get this result is where I do 2 separate stats commands one after the other:
| stats last(eventTime) as Detected_Time , values(quarantineFolder) as Type , values(senderIP) as Sender_IP , values("threatsInfoMap{}.threatType") as threat_type, values("threatsInfoMap{}.threat") as threat, values("threatsInfoMap{}.threatUrl") as threatUrl, values(malwareScore) as malwareScore by Email_Sender Email_Recipient
| eventstats count as Recipient_occurrence by Email_Recipient
| stats last(Detected_Time) as Detected_Time , values(Email_Recipient) as Email_Recipient list(Recipient_occurrence) as Recipient_occurrence values(Type) as Type , values(Sender_IP) as Sender_IP , values(threat_type) as threat_type, values(threat) as threat, values(threatUrl) as threatUrl, values(malwareScore) as malwareScore by Email_Sender
| where isnotnull(Email_Sender)
Is there any other way to make it look better and more tidy?
Any help and tips will be greatly appreciated!
