Splunk Search

stats count(eval(recipient="@thing.com*")) not providing results

Denorsmith
Engager

I have a search I am running, and I am trying to enumerate this one specific email domain's email responses, if it was blocked, delivered, so on. When I run this search (will be below) I get my stats table just fine, but I get no results per main field. What am I doing wrong?

index=emails
| search recipient="*@thing.com*" OR Recipient="*@thing.com*"
| stats count(eval((recipient="*@thing.com") OR (Recipient="*@thing.com*"))) AS @thing BY email_response

 

Table looks like this 

email_response                                                             @thing

blocked                                                                               0

delivered                                                                            0

quarantined                                                                      0

Labels (5)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Since you are already filtering on whether recipient is @thing.com, why do you need to filter again in the stats?

index=emails
| search recipient="*@thing.com*" OR Recipient="*@thing.com*"
| stats count AS @thing BY email_response

However, if you still feel you need it, you could use the like function (note that % are used for wildcards)

index=emails
| search recipient="*@thing.com*" OR Recipient="*@thing.com*"
| stats count(eval(like(recipient,"%@thing.com%") OR like(Recipient,"%@thing.com%"))) AS @thing BY email_response

 

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Since you are already filtering on whether recipient is @thing.com, why do you need to filter again in the stats?

index=emails
| search recipient="*@thing.com*" OR Recipient="*@thing.com*"
| stats count AS @thing BY email_response

However, if you still feel you need it, you could use the like function (note that % are used for wildcards)

index=emails
| search recipient="*@thing.com*" OR Recipient="*@thing.com*"
| stats count(eval(like(recipient,"%@thing.com%") OR like(Recipient,"%@thing.com%"))) AS @thing BY email_response

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...