https://community.splunk.com/t5/Splunk-Search/Searching-msexchange-logs/m-p/499159#M139042 <P>what's session field?</P> Mon, 23 Mar 2020 20:56:52 GMT to4kawa 2020-03-23T20:56:52Z https://community.splunk.com/t5/Splunk-Search/Searching-msexchange-logs/m-p/499158#M139041 <P>is there any splunk query to search for send, recipient and subject in msexchange email logs? I know there is msexchange app but could it be done via simple query, regex? thanks for your help </P> Mon, 23 Mar 2020 17:57:10 GMT https://community.splunk.com/t5/Splunk-Search/Searching-msexchange-logs/m-p/499158#M139041 wfarooq124 2020-03-23T17:57:10Z https://community.splunk.com/t5/Splunk-Search/Searching-msexchange-logs/m-p/499159#M139042 <P>what's session field?</P> Mon, 23 Mar 2020 20:56:52 GMT https://community.splunk.com/t5/Splunk-Search/Searching-msexchange-logs/m-p/499159#M139042 to4kawa 2020-03-23T20:56:52Z https://community.splunk.com/t5/Splunk-Search/Searching-msexchange-logs/m-p/499160#M139043 <P>@to4kawa thanks for your response I am looking for email sender, recipient and subject fields</P> Mon, 23 Mar 2020 21:01:06 GMT https://community.splunk.com/t5/Splunk-Search/Searching-msexchange-logs/m-p/499160#M139043 wfarooq124 2020-03-23T21:01:06Z https://community.splunk.com/t5/Splunk-Search/Searching-msexchange-logs/m-p/499161#M139044 <P>what's the results of searching <CODE>sender@domain OR subject OR recipient@domain</CODE>?</P> Mon, 23 Mar 2020 21:38:35 GMT https://community.splunk.com/t5/Splunk-Search/Searching-msexchange-logs/m-p/499161#M139044 to4kawa 2020-03-23T21:38:35Z https://community.splunk.com/t5/Splunk-Search/Searching-msexchange-logs/m-p/499162#M139045 <P>@to4kawa this is regarding sourcetype=MSExchange:2013:MessageTracking so basically using it to parse send receive and subject</P> Sat, 28 Mar 2020 11:54:45 GMT https://community.splunk.com/t5/Splunk-Search/Searching-msexchange-logs/m-p/499162#M139045 wfarooq124 2020-03-28T11:54:45Z https://community.splunk.com/t5/Splunk-Search/Searching-msexchange-logs/m-p/499163#M139046 <P><A href="https://splunkbase.splunk.com/app/3225/">https://splunkbase.splunk.com/app/3225/</A><BR /> use add-on. </P> Sat, 28 Mar 2020 21:51:07 GMT https://community.splunk.com/t5/Splunk-Search/Searching-msexchange-logs/m-p/499163#M139046 to4kawa 2020-03-28T21:51:07Z https://community.splunk.com/t5/Splunk-Search/Searching-msexchange-logs/m-p/499164#M139047 <P>You will want to group all your logs by "internal_message_id" or "MID" to do so, you can use the "transaction" command :</P> <PRE><CODE> Index=email sourcetype=msexchange | transaction MID </CODE></PRE> <P>As you'll see transaction is quiet slow, I'll recommand using a groupby instead, It should look something like this : </P> <PRE><CODE>Index=email sourcetype=msexchange | stats values(recipient) AS recipient, values(sender) AS sender, values(subject) AS subject by MID </CODE></PRE> <P>3no</P> Wed, 30 Sep 2020 04:47:15 GMT https://community.splunk.com/t5/Splunk-Search/Searching-msexchange-logs/m-p/499164#M139047 3no 2020-09-30T04:47:15Z