I have a query similar to the following which we are using to capture information about email traffic between certain (internal) email domains index="exchdomains" | stats count by SenderDomain,recipientDomain
| xyseries SenderDomain,recipientDomain,count This builds a nice table, however: Part 1 How do I limit the query to only certain values of 'SenderDomain' and 'recipientDomain' without having to type all the domains (there are about 8 ATM) into the query? Can I use a CSV lookup for this? Part 2 Assuming part one is achievable how do I add a 'catchall' row where I count messages sent from domains NOT in my list of 'SenderDomain' values of interest? And similarly add a 'catchall' column for 'recipientDomain' not in a list of 'known good'.
... View more