I'm trying to craft a search that will show the percentage of quarantined messages by country, but I'm struggling a little on how to complete it. I have the following:
index="email" `MACRO` [search sourcetype=csv | iplocation FromIP | stats count by Country | where Country != "United States" | sort 20 -count ]
| eval success=if(Status="Quarantined",1,0)
| stats count as total sum(success) as success
| eval Percentage=success/total
| table _time Percentage
If I strip out the subsearch, I get the percentage, but trying to figure out how to incorporate iplocation into the search and then break that down per country.
Thx
↧