https://tryhackme.com/room/splunk2gcd5

index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" 
|stats count as visited by site
| table site, visited
| dedup site
| sort -visited

#add a count the the table.


index="botsv2" sourcetype="stream:smtp"  *amber* AND *berk*

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/6f35a6b3-678f-4644-b680-63e4b3689c30/Untitled.png