Hi, We have a use-case where responses(host_addr) returned from DNS queries are passed through AbuseIPDB API to check for any potential matches. Since the API has a set limit we dont want to query an IP more than once. To achieve this, stats is used to get distinct values and then it is passed through the API. It works well but due to the use of "stats", we lose all the other crucial fields from the original data, e.g. src_ip, query etc. Here's a sample query: <Base Search> | stats count by host_addr | table host_addr | abuseip ipfield=host_addr | sort - AbuseConfidence Could eventstats come to the rescue here? If so, what could be a potential syntax of that search? From the other examples I saw, eventstats sees to be more useful when performing a actual stats function like sum etc. End goal is to create something like | table src_ip, query, host_addr, LastReportedAt, AbuseConfidence but also keeping API limits in check(Using only unique values of host_addr). Any pointers on this will be appreciated. Thanks, ~ Abhi
... View more