https://community.splunk.com/t5/Splunk-Search/Search-Proofpoint-Logs/m-p/27069#M177706 <P>Thanks Kristian, I'll look into your recommendations. To answer your questions:</P> <P>yes, it is the same set of events, all emails, s=ssssss is a session identifier, m=mm is a particulater email/message. There can be (and are) multiple emails associated with a session. There are a lot more log entries per each email, but I condensed it to the fields I want to pull.<BR /> Thanks again.</P> Wed, 08 May 2013 19:05:41 GMT RB5 2013-05-08T19:05:41Z https://community.splunk.com/t5/Splunk-Search/Search-Proofpoint-Logs/m-p/27067#M177704 <P>Hi, I was hoping to get help for a search. I haven't had much time to spend on it so I apoligize for not trying harder 1st.</P> <P>I've started out with below, but both searches only return 2 results, even though there are over 1K log entries of the same format.</P> <PRE><CODE>index=xyz | transaction startswith="cmd=connect" endswith="cmd=disconnect" </CODE></PRE> <P>OR: </P> <PRE><CODE>index=xyz * | transaction s,m maxspan=301s startswith="mod=session cmd=connect" endswith="mod=session cmd=disconnect" </CODE></PRE> <P>I want to pull items such as value=<A href="mailto:abc@xyz.com" target="_blank">abc@xyz.com</A> where have cmd=env_rcpt, value=<A href="mailto:uvh@gmail.com" target="_blank">uvh@gmail.com</A> where have cmd=env_from and pull 'subject' and various scores, <BR /> like '3' from: suspectscore=3</P> <P>The log entries are of the format below.</P> <P>Thanks</P> <PRE><CODE>[2011-10-23 16:05:59.502387 +0000] rprt s=10kch03n9t mod=session cmd=connect ip=209.85.210.182 perlwait=0.085 [2011-10-23 16:06:26.251606 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=env_from value=uvh@gmail.com qid=p9NG5xMt010615 ip=209.85.210.182 [2011-10-23 16:06:26.405437 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=env_rcpt r=1 value=abc@xyz.com verified= routes= [2011-10-23 16:06:26.875486 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=spam cmd=run score=0 spamscore=0 ipscore=0 suspectscore=3 phishscore=0 bulkscore=0 adultscore=0 duration=0.091 [2011-10-23 16:06:26.879828 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=msg module=spf rule=pass action=continue attachments=0 rcpts=1 subject="Hi" spamscore=0 [2011-10-23 16:06:56.927722 +0000] rprt s=10kch03n9t mod=session cmd=disconnect module= rule= action= helo=mail-iy0-f182.google.com msgs=3 rcpts=3 routes= duration=1.119 elapsed=57.43 [2011-10-23 17:05:59.502387 +0000] rprt s=10kch03n9t mod=session cmd=connect ip=209.85.210.182 perlwait=0.085 [2011-10-23 17:06:26.251606 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=env_from value=xyz@hotmail.com qid=p9NG5xMt010615 ip=209.85.210.182 [2011-10-23 17:06:26.405437 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=env_rcpt r=1 value=123@xyz.com verified= routes= [2011-10-23 17:06:26.875486 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=spam cmd=run score=0 spamscore=0 ipscore=0 suspectscore=3 phishscore=0 bulkscore=0 adultscore=0 duration=0.091 [2011-10-23 17:06:26.879828 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=msg module=spf rule=pass action=continue attachments=0 rcpts=1 subject="Hi" spamscore=0 [2011-10-23 17:06:56.927722 +0000] rprt s=10kch03n9t mod=session cmd=disconnect module= rule= action= helo=mail-iy0-f182.google.com msgs=3 rcpts=3 routes= duration=1.119 elapsed=57.43 [2011-10-23 18:05:59.502387 +0000] rprt s=10kch03n9t mod=session cmd=connect ip=209.85.210.182 perlwait=0.085 [2011-10-23 18:06:26.251606 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=env_from value=123@gmail.com qid=p9NG5xMt010615 ip=209.85.210.182 [2011-10-23 18:06:26.405437 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=env_rcpt r=1 value=xxtt@xyz.com verified= routes= [2011-10-23 18:06:26.875486 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=spam cmd=run score=0 spamscore=0 ipscore=0 suspectscore=3 phishscore=0 bulkscore=0 adultscore=0 duration=0.091 [2011-10-23 18:06:26.879828 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=msg module=spf rule=pass action=continue attachments=0 rcpts=1 subject="Hi" spamscore=0 [2011-10-23 18:06:56.927722 +0000] rprt s=10kch03n9t mod=session cmd=disconnect module= rule= action= helo=mail-iy0-f182.google.com msgs=3 rcpts=3 routes= duration=1.119 elapsed=57.43 </CODE></PRE> Mon, 28 Sep 2020 13:51:23 GMT https://community.splunk.com/t5/Splunk-Search/Search-Proofpoint-Logs/m-p/27067#M177704 RB5 2020-09-28T13:51:23Z https://community.splunk.com/t5/Splunk-Search/Search-Proofpoint-Logs/m-p/27068#M177705 <P>You are aware of what the <CODE>transaction</CODE> command is supposed to be doing, right? It will bundle all events matching the conditions into transactions. The result will be a new multi-line event for each transaction. </P> <P>In your first query, you'd probably get the wrong transaction-events, as the only condition is connect/disconnect - regardless of any other data in the events. It <EM>may</EM> be ok for something very sequential in nature, where sessions do not intermingle. But for some kind of webserver log, it would be meaningless.</P> <P>So, what are the events you have listed? It looks like it the same set of events repeated 3 times. </P> <P>Is <CODE>s</CODE> some kind of session identifier? (in respect to the sessions of the spamfilter(?))<BR /> What is <CODE>m</CODE>? Why is that important?<BR /> It seems like <CODE>x</CODE> is present on all lines that you're interested in. </P> <P>There is a bit of a problem when the logging application write logs in the style of <CODE>key=&lt;key&gt; value=&lt;value&gt;</CODE>, instead of <CODE>&lt;key&gt;=&lt;value&gt;</CODE>, since the field <CODE>value</CODE> will be ambiguous. For this exercise, we'll use <CODE>rex</CODE> to do the extraction as part of the search.</P> <PRE><CODE>index=xyz | rex "env_from\s+value=(?&lt;sender&gt;\S+)" | rex "env_rcpt\s+r=\d+value=(?&lt;receiver&gt;\S+)" | transaction s maxspan=5m </CODE></PRE> <P>This should build the transaction that you're looking for. However, there might be a simpler way by using <CODE>stats</CODE>. <CODE>stats</CODE> is cheaper than <CODE>transaction</CODE> in terms of execution costs. Modify the query below to fit your own needs.</P> <PRE><CODE>index=xyz | rex "env_from\s+value=(?&lt;sender&gt;\S+)" | rex "env_rcpt\s+r=\d+value=(?&lt;receiver&gt;\S+)" | stats list(sender) as Sender values(receiver) as Receivers first(subject) as Subject max(suspectscore) as SuspectScore by s | where SuspectScore&gt;2 </CODE></PRE> <P>Hope this helps,</P> <P>Kristian</P> Wed, 08 May 2013 08:24:36 GMT https://community.splunk.com/t5/Splunk-Search/Search-Proofpoint-Logs/m-p/27068#M177705 kristian_kolb 2013-05-08T08:24:36Z https://community.splunk.com/t5/Splunk-Search/Search-Proofpoint-Logs/m-p/27069#M177706 <P>Thanks Kristian, I'll look into your recommendations. To answer your questions:</P> <P>yes, it is the same set of events, all emails, s=ssssss is a session identifier, m=mm is a particulater email/message. There can be (and are) multiple emails associated with a session. There are a lot more log entries per each email, but I condensed it to the fields I want to pull.<BR /> Thanks again.</P> Wed, 08 May 2013 19:05:41 GMT https://community.splunk.com/t5/Splunk-Search/Search-Proofpoint-Logs/m-p/27069#M177706 RB5 2013-05-08T19:05:41Z https://community.splunk.com/t5/Splunk-Search/Search-Proofpoint-Logs/m-p/27070#M177707 <P>Proofpoint now has a beta app that will allow you report on and visualze your Proofpoint Protection Server and TAP data! Check out the new app here:</P> <P><A href="https://splunkbase.splunk.com/app/3727/#/details">https://splunkbase.splunk.com/app/3727/#/details</A></P> <P>Be sure to follow the instructions listed in the details to get all the needed TA's etc that the app needs to work correctly.</P> <P>There are pre-built dashboards to aid in searching for message events.</P> Thu, 12 Oct 2017 02:34:26 GMT https://community.splunk.com/t5/Splunk-Search/Search-Proofpoint-Logs/m-p/27070#M177707 eckolp2003 2017-10-12T02:34:26Z