I have a search I am running, and I am trying to enumerate this one specific email domain's email responses, if it was blocked, delivered, so on. When I run this search (will be below) I get my stats table just fine, but I get no results per main field. What am I doing wrong?
index=emails
| search recipient="*@thing.com*" OR Recipient="*@thing.com*"
| stats count(eval((recipient="*@thing.com") OR (Recipient="*@thing.com*"))) AS @thing BY email_response
Table looks like this
email_response @thing
blocked 0
delivered 0
quarantined 0
Since you are already filtering on whether recipient is @thing.com, why do you need to filter again in the stats?
index=emails
| search recipient="*@thing.com*" OR Recipient="*@thing.com*"
| stats count AS @thing BY email_response
However, if you still feel you need it, you could use the like function (note that % are used for wildcards)
index=emails
| search recipient="*@thing.com*" OR Recipient="*@thing.com*"
| stats count(eval(like(recipient,"%@thing.com%") OR like(Recipient,"%@thing.com%"))) AS @thing BY email_response
Since you are already filtering on whether recipient is @thing.com, why do you need to filter again in the stats?
index=emails
| search recipient="*@thing.com*" OR Recipient="*@thing.com*"
| stats count AS @thing BY email_response
However, if you still feel you need it, you could use the like function (note that % are used for wildcards)
index=emails
| search recipient="*@thing.com*" OR Recipient="*@thing.com*"
| stats count(eval(like(recipient,"%@thing.com%") OR like(Recipient,"%@thing.com%"))) AS @thing BY email_response