I'm looking at a specific email recipient. I want to see the percentage of emails they receive from specific senders. I think my current query gets all the fields I need but I'm having trouble breaking the results down to stats by month. Here is my current query:
index=msexchange (recipients="user@domain.org") eventtype="smtp-mail"
| eval sender_username=lower(sender_username)
| eval valid_sender=case(
sender_username=="mailer-daemon" OR sender_username=="postmaster","Bounceback",
sender_username!="mailer-daemon" OR sender_username!="postmaster","Valid")
| eval Month=strftime(_time,"%b")
Now what I would like to do is get a total count of emails sent to the recipient each month and another column that states the percentage of those emails per month where valid_sender="Bounceback"
The end results would hopefully look something like this:
| Recipient | Month | Count | Bounceback% |
| user@domain.org | May | 500 | 25% |
| user@domain.org | June | 1000 | 30% |
| user@domain.org | July | 750 | 20% |
↧