https://community.splunk.com/t5/Splunk-Search/How-do-I-correlate-email-events-when-the-key-id-is-not-defined/m-p/426812#M122285 <P>So I have correlated email events before where there was a UID defined as a field for all transactions of a unique email session. For example, the event containing "subject" contained a UID=xyz123 and the event containing "sender" contained a UID=xyz123, and the event containing "recipient" contained a UID=xyz123, etc...</P> <P>Now I am faced with transaction-events where the event containing "subject" has a UID=abc987, but the "to" and "from" events only have "abc987" and no field name...</P> <P>I can regex the UID value out of the "to" and "from" events, but I have not been successful stitching the events together to create the complete email session...</P> <P>For example, If I run this query below I can get the unique ids which will be contained in all events related to a unique email session... (by session I mean Subject, To, From, etc...)</P> <PRE><CODE>index=mail sourcetype=mail | rex field=_raw "sendmail+\S+\s(?&lt;stitcher&gt;[[:alnum:]]+)"|fillnull value="null"| table stitcher | WHERE stitcher!="null" </CODE></PRE> <P>here are some sample results</P> <PRE><CODE>stitcher w9FD0v3f024155 w9CCWGaF023575 w9CCAwjU026498 w9AEM7sO030350 w9ADp31g031379 w993gkLc016485 w993gjU0016459 w993UuOr000878 w9CDhH42016767 w9CDV93a026891 w9CDVAv6018597 </CODE></PRE> <P>If I search with each of theses UIDs 1 by 1, I would only get the events related to a specific email.</P> <P>So I tried a number of subsearches but I am having no luck...I need to feed the list back into a search and be able to list out the subject, to, and from, by UID...</P> <P>Looking for advice.<BR /> Thank you</P> Mon, 15 Oct 2018 23:23:48 GMT Log_wrangler 2018-10-15T23:23:48Z https://community.splunk.com/t5/Splunk-Search/How-do-I-correlate-email-events-when-the-key-id-is-not-defined/m-p/426812#M122285 <P>So I have correlated email events before where there was a UID defined as a field for all transactions of a unique email session. For example, the event containing "subject" contained a UID=xyz123 and the event containing "sender" contained a UID=xyz123, and the event containing "recipient" contained a UID=xyz123, etc...</P> <P>Now I am faced with transaction-events where the event containing "subject" has a UID=abc987, but the "to" and "from" events only have "abc987" and no field name...</P> <P>I can regex the UID value out of the "to" and "from" events, but I have not been successful stitching the events together to create the complete email session...</P> <P>For example, If I run this query below I can get the unique ids which will be contained in all events related to a unique email session... (by session I mean Subject, To, From, etc...)</P> <PRE><CODE>index=mail sourcetype=mail | rex field=_raw "sendmail+\S+\s(?&lt;stitcher&gt;[[:alnum:]]+)"|fillnull value="null"| table stitcher | WHERE stitcher!="null" </CODE></PRE> <P>here are some sample results</P> <PRE><CODE>stitcher w9FD0v3f024155 w9CCWGaF023575 w9CCAwjU026498 w9AEM7sO030350 w9ADp31g031379 w993gkLc016485 w993gjU0016459 w993UuOr000878 w9CDhH42016767 w9CDV93a026891 w9CDVAv6018597 </CODE></PRE> <P>If I search with each of theses UIDs 1 by 1, I would only get the events related to a specific email.</P> <P>So I tried a number of subsearches but I am having no luck...I need to feed the list back into a search and be able to list out the subject, to, and from, by UID...</P> <P>Looking for advice.<BR /> Thank you</P> Mon, 15 Oct 2018 23:23:48 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-correlate-email-events-when-the-key-id-is-not-defined/m-p/426812#M122285 Log_wrangler 2018-10-15T23:23:48Z https://community.splunk.com/t5/Splunk-Search/How-do-I-correlate-email-events-when-the-key-id-is-not-defined/m-p/426813#M122286 <P>If you have common unique values for different fields, would not be easier to rename them all and then apply a transaction command on the renamed field? Something like:</P> <PRE><CODE>| rename subject as UID | rex "sendmail+\S+\s(?&lt;UID&gt;[[:alnum:]]+)" | transaction UID </CODE></PRE> <P>If the time and format of the events are always the same you can add further options to the transaction, something like <BR /> <CODE>| transaction UID startswith=subject endswith=to</CODE> and/or <CODE>| transaction UID maxevents=3</CODE></P> Tue, 16 Oct 2018 07:30:20 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-correlate-email-events-when-the-key-id-is-not-defined/m-p/426813#M122286 jlelli 2018-10-16T07:30:20Z https://community.splunk.com/t5/Splunk-Search/How-do-I-correlate-email-events-when-the-key-id-is-not-defined/m-p/426814#M122287 <P>that is an idea I will try.... thank you</P> Tue, 16 Oct 2018 19:39:37 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-correlate-email-events-when-the-key-id-is-not-defined/m-p/426814#M122287 Log_wrangler 2018-10-16T19:39:37Z https://community.splunk.com/t5/Splunk-Search/How-do-I-correlate-email-events-when-the-key-id-is-not-defined/m-p/426815#M122288 <P>I had to use a combo of regex and transaction. Thx</P> Fri, 09 Nov 2018 16:37:47 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-correlate-email-events-when-the-key-id-is-not-defined/m-p/426815#M122288 Log_wrangler 2018-11-09T16:37:47Z