I have events coming in from an email spam appliance and would like to have an alert on spam campaigns with a unique sender,subject or content if they exceed a certain number (e.g. 50)
I'm scratching my head trying to create a search to get a count of events with common value for the subject field as a start.
index="mail" | stats dc(subject) as subjectcount | where subjectcount > 50
Like this:
index="mail"
| stats count dc(recipient) BY subject
| where count > 50
Like this:
index="mail"
| stats count dc(recipient) BY subject
| where count > 50
This was incredibly easy in the end.... your answer is pretty much what I was trying to get to, only I didn't want to see the count per recipient, only the overall count of distinct subject headers so:
index="mail" | stats count by subject | search count>50
Added an alert which is only triggered when the count is greater than 50 🙂
I try to add a little bonus value where I can; sometimes I am off the mark.