Alright. My current query looks something like this:
sourcetype=email action=accept ip=127.0.0.1 | stats count(subject), dc(recipients) by ip, subject
And this produces output like the following:
ip subject count dc(recipients)
127.0.0.1 email1 10 10
127.0.0.1 email2 5 2
127.0.0.1 email3 1 1
How would I query this instead so I can group those results together by IP so I'd be looking at a format like this?
ip subject count dc(recipients)
127.0.0.1 email1 10 10
email2 5 2
email3 1 1
I haven't figured out a query yet that will let me group by IP while still getting a count for each subject value, and a distinct count for the number of recipients for each subject value.
... View more