topic Re: splunk query help in Other Usage

Help with Splunk search?

sulaimancds — Mon, 22 May 2023 13:40:36 GMT

index=mail [ | inputlookup 123.csv | rename address AS query | fields query ] | dedup MessageTraceId | lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match | where isnull(domain_match) | lookup all_email_provider_domains domain AS RecipientDomain output domain as domain_match2 | where isnotnull(domain_match2) | stats values(RecipientAddress) as Recipient values(Subject) as Subject earliest(_time) AS "Earliest" latest(_time) AS "Latest" values(Status) as Status by RecipientDomain SenderAddress | eval subject_count=mvcount(Subject) | sort - subject_count | convert ctime("Latest") | convert ctime("Earliest")

hi i have another column call date in the 123.csv , after running the query, those results which match the csv , show the date as well from 123.csv in 1 column. Please help.

Re: splunk query help

ITWhisperer — Mon, 22 May 2023 07:48:15 GMT

There is nothing in the search that you posted that would suggest how this might be happening - 123.csv in only used to get a list of addresses, not dates.

Please can you share some (anonymised) examples of where you are seeing this issue?

Re: splunk query help

sulaimancds — Mon, 22 May 2023 07:50:08 GMT

the search query is working perfectly , i just need to show the dates from the csv. example if i run the search and the user matches for example 123@gmail.com , the date on the 123.csv for this user is 22/05/2023. It should show the date as well

Re: splunk query help

ITWhisperer — Mon, 22 May 2023 07:52:57 GMT

OK - can you not simply do a lookup on 123.csv?

Re: splunk query help

sulaimancds — Mon, 22 May 2023 07:55:12 GMT

i try but not showing so i need your help with the query,

Re: splunk query help

ITWhisperer — Mon, 22 May 2023 07:58:23 GMT

What have you tried so far?

Re: splunk query help

sulaimancds — Mon, 22 May 2023 08:09:31 GMT

i use table and tried to put in stats and on the first line also to show , please help

Re: splunk query help

ITWhisperer — Mon, 22 May 2023 08:29:43 GMT

If you want more help, you will have to be more specific as to what exactly you have tried. I lost my mind-reading license after a misunderstanding with an African Prince!

Re: splunk query help

sulaimancds — Mon, 22 May 2023 08:32:26 GMT

@ITWhisperer wrote:
If you want more help, you will have to be more specific as to what exactly you have tried. I lost my mind-reading license after a misunderstanding with an African Prince!

i tried last week to rename [date AS date | fields date ] in first line

table at the last line i cannot remember ,

Re: splunk query help

ITWhisperer — Mon, 22 May 2023 08:40:49 GMT

It is not clear from the way you appear to be approaching this what it is that you are actually trying to achieve. Please can you share some anonymised sample events, examples of the csv files and an explanation of the desired results.

Re: splunk query help

sulaimancds — Mon, 22 May 2023 08:49:39 GMT

this is the current result. in my csv, there are 2 columns date and address - which is the sender address, which currently the query is working as shown above. after running the query, if there are any results, the date from the csv also should be shown in of the columns in the result table.

RecipientDomain	SenderAddress	Recipient	Subject	Earliest	Latest	Status	subject_count
gmail.com	abc@abc.com.xy	abc@gmail.com	form	05/16/2023 14:50:11.069507	05/18/2023 23:52:08.009636	Delivered	10

Re: splunk query help

ITWhisperer — Mon, 22 May 2023 08:57:55 GMT

Re: splunk query help

sulaimancds — Mon, 22 May 2023 09:06:33 GMT

in my csv there are 2 colums , Event date and address

address is used for sender address to match the criteria.

so, after the query is run , if there are any results, the date from the csv, should be shown with the results.

the command which you gave i think it is wrong.

Re: splunk query help

ITWhisperer — Mon, 22 May 2023 09:09:24 GMT

In what way is it wrong? What happened when you tried it?

Re: splunk query help

sulaimancds — Mon, 22 May 2023 09:11:01 GMT

The search job has failed due to an error.

Re: splunk query help

sulaimancds — Mon, 22 May 2023 09:11:33 GMT

in my csv there are 2 colums , Event date and address

address is used for sender address to match the criteria.

so, after the query is run , if there are any results, the Event date from the csv, should be shown with the results in another column

the command which you gave i think it is wrong.

Re: splunk query help

ITWhisperer — Mon, 22 May 2023 09:25:49 GMT

Please explain how being evasive helps your cause?

Re: splunk query help

sulaimancds — Mon, 22 May 2023 09:26:34 GMT

sorry i do not understand your question

Re: splunk query help

ITWhisperer — Mon, 22 May 2023 09:31:43 GMT

How do you think providing short, and not very informative answers helps anyone help you solve your problem?

Re: splunk query help

sulaimancds — Mon, 22 May 2023 09:32:31 GMT

i have provided everything , i am sorry if i did not