https://community.splunk.com/t5/Alerting/Writing-a-Splunk-search-to-filter-email-subjects/m-p/632729#M14815 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254197">@sulaimancds</a>,</P><P>if you want to exclede events containing keywords from the lookup, you have only to add a NOT condition tto the main search:</P><LI-CODE lang="markup">index=mail NOT [ | inputlookup suspicoussubject_keywords | rename keyword AS query | fields query ] | lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match | where isnull(domain_match) | lookup all_email_provider_domains domain AS RecipientDomain output domain as domain_match2 | where isnotnull(domain_match2) | stats values(recipient) as recipient values(subject) as subject earliest(_time) AS "Earliest" latest(_time) AS "Latest" by RecipientDomain sender | where mvcount(recipient)=1 | eval subject_count=mvcount(subject) | sort - subject_count | convert ctime("Latest") | convert ctime("Earliest")</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Wed, 01 Mar 2023 08:33:12 GMT gcusello 2023-03-01T08:33:12Z https://community.splunk.com/t5/Alerting/Writing-a-Splunk-search-to-filter-email-subjects/m-p/632701#M14809 <P>&nbsp;</P> <P>&nbsp;</P> <PRE>index=mail | lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match | where isnull(domain_match) | lookup all_email_provider_domains domain AS RecipientDomain output domain as domain_match2 | where isnotnull(domain_match2) | stats values(recipient) as recipient values(subject) as subject earliest(_time) AS "Earliest" latest(_time) AS "Latest" by RecipientDomain sender | where mvcount(recipient)=1 | eval subject_count=mvcount(subject) | sort - subject_count | convert ctime("Latest") | convert ctime("Earliest")</PRE> <P>&nbsp;</P> <P>&nbsp;</P> <P>i have list of suspicious keywords to in a list in lookup editor called suspicoussubject_keywords.</P> <P>&nbsp;</P> <P>can you include the query to lookup for this keyword in subject and then display results?</P> <P>&nbsp;</P> <P>in another use case , i have a list not to show the following subject&nbsp; filtersubjects&nbsp; in lookup.</P> <P>This will not display the results where there are the following words like CV, Resume in the subjects</P> <P>can you help me with the query ?</P> Wed, 01 Mar 2023 14:59:49 GMT https://community.splunk.com/t5/Alerting/Writing-a-Splunk-search-to-filter-email-subjects/m-p/632701#M14809 sulaimancds 2023-03-01T14:59:49Z https://community.splunk.com/t5/Alerting/Writing-a-Splunk-search-to-filter-email-subjects/m-p/632721#M14810 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254197">@sulaimancds</a>,</P><P>if you have a list of suspicious keywords in a lookup you could add to the main search this condition (assuming that the field in the lookup is called "keyword"):</P><LI-CODE lang="markup">index=mail [ | inputlookup suspicoussubject_keywords | rename keyword AS query | fields query ] | ...</LI-CODE><P>in this way you performa a full text search on your raw data using the keywords from the lookup.</P><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Wed, 01 Mar 2023 08:03:34 GMT https://community.splunk.com/t5/Alerting/Writing-a-Splunk-search-to-filter-email-subjects/m-p/632721#M14810 gcusello 2023-03-01T08:03:34Z https://community.splunk.com/t5/Alerting/Writing-a-Splunk-search-to-filter-email-subjects/m-p/632722#M14811 <P>thank you, can you put those into my query as shown above.</P> Wed, 01 Mar 2023 08:06:58 GMT https://community.splunk.com/t5/Alerting/Writing-a-Splunk-search-to-filter-email-subjects/m-p/632722#M14811 sulaimancds 2023-03-01T08:06:58Z https://community.splunk.com/t5/Alerting/Writing-a-Splunk-search-to-filter-email-subjects/m-p/632723#M14812 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254197">@sulaimancds</a>,</P><P>ok, try this:</P><LI-CODE lang="markup">index=mail [ | inputlookup suspicoussubject_keywords | rename keyword AS query | fields query ] | lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match | where isnull(domain_match) | lookup all_email_provider_domains domain AS RecipientDomain output domain as domain_match2 | where isnotnull(domain_match2) | stats values(recipient) as recipient values(subject) as subject earliest(_time) AS "Earliest" latest(_time) AS "Latest" by RecipientDomain sender | where mvcount(recipient)=1 | eval subject_count=mvcount(subject) | sort - subject_count | convert ctime("Latest") | convert ctime("Earliest")</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Wed, 01 Mar 2023 08:08:58 GMT https://community.splunk.com/t5/Alerting/Writing-a-Splunk-search-to-filter-email-subjects/m-p/632723#M14812 gcusello 2023-03-01T08:08:58Z https://community.splunk.com/t5/Alerting/Writing-a-Splunk-search-to-filter-email-subjects/m-p/632725#M14813 <P>hi,</P><P>&nbsp;</P><P>list is saved already.&nbsp;&nbsp;</P><P>&nbsp;</P><P>this error is being showed.</P><UL><LI>[subsearch]: The lookup table 'email_subjects' requires a .csv or KV store lookup definition.</LI><LI>[subsearch]: The lookup table 'email_subjects' is invalid.</LI></UL><P>help.</P> Wed, 01 Mar 2023 08:24:19 GMT https://community.splunk.com/t5/Alerting/Writing-a-Splunk-search-to-filter-email-subjects/m-p/632725#M14813 sulaimancds 2023-03-01T08:24:19Z https://community.splunk.com/t5/Alerting/Writing-a-Splunk-search-to-filter-email-subjects/m-p/632728#M14814 <P><SPAN>&nbsp;</SPAN>i have a list not to show the following subject&nbsp; filtersubjects&nbsp; in lookup.</P><P>This will not display the results where there are the following words like CV, Resume in the subjects</P><P>can you help me with the query ?</P> Wed, 01 Mar 2023 08:25:39 GMT https://community.splunk.com/t5/Alerting/Writing-a-Splunk-search-to-filter-email-subjects/m-p/632728#M14814 sulaimancds 2023-03-01T08:25:39Z https://community.splunk.com/t5/Alerting/Writing-a-Splunk-search-to-filter-email-subjects/m-p/632729#M14815 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254197">@sulaimancds</a>,</P><P>if you want to exclede events containing keywords from the lookup, you have only to add a NOT condition tto the main search:</P><LI-CODE lang="markup">index=mail NOT [ | inputlookup suspicoussubject_keywords | rename keyword AS query | fields query ] | lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match | where isnull(domain_match) | lookup all_email_provider_domains domain AS RecipientDomain output domain as domain_match2 | where isnotnull(domain_match2) | stats values(recipient) as recipient values(subject) as subject earliest(_time) AS "Earliest" latest(_time) AS "Latest" by RecipientDomain sender | where mvcount(recipient)=1 | eval subject_count=mvcount(subject) | sort - subject_count | convert ctime("Latest") | convert ctime("Earliest")</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Wed, 01 Mar 2023 08:33:12 GMT https://community.splunk.com/t5/Alerting/Writing-a-Splunk-search-to-filter-email-subjects/m-p/632729#M14815 gcusello 2023-03-01T08:33:12Z https://community.splunk.com/t5/Alerting/Writing-a-Splunk-search-to-filter-email-subjects/m-p/632730#M14816 <P>suspicoussubject_keywords.csv</P><P>&nbsp;</P><P><SPAN>keyword</SPAN></P><P><SPAN><BR />cv<BR />interview<BR />offboarding<BR />resume<BR /></SPAN></P> Wed, 01 Mar 2023 08:50:08 GMT https://community.splunk.com/t5/Alerting/Writing-a-Splunk-search-to-filter-email-subjects/m-p/632730#M14816 sulaimancds 2023-03-01T08:50:08Z https://community.splunk.com/t5/Alerting/Writing-a-Splunk-search-to-filter-email-subjects/m-p/632748#M14817 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254197">@sulaimancds</a>,</P><P>these errors are in the part of the search that you shared, not in the part I updated.</P><P>Anyway, check the <SPAN>email_subjects lookup because&nbsp;</SPAN>there's an error.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 01 Mar 2023 10:31:08 GMT https://community.splunk.com/t5/Alerting/Writing-a-Splunk-search-to-filter-email-subjects/m-p/632748#M14817 gcusello 2023-03-01T10:31:08Z