topic Re: I'm trying to perform a subsearch on lookup table and extract two fields using a or statement in Splunk Search

I'm trying to perform a subsearch on lookup table and extract two fields using a or statement

dkorlat — Tue, 29 Sep 2020 10:35:09 GMT

Hi
I'm trying to perform a subsearch to get a list of users in a lookup table and map the mail field to recipients and sender and perform a
search on recipients or sender. At the moment it's only performing the search if the recipients and senders are both as the recipients and sender .
Is there is a way to change it to search for recipients or senders that match to the fields instead of both fields need to match?
Here is my current search.
index=msexchange sourcetype="MSExchange:2010:MessageTracking" recipients=* OR sender=* [| inputlookup Finance_Users.csv | eval recipients = mail | eval sender = mail | fields recipients, sender] | dedup message_id | eval DLM = coalesce(SEC,DLM) |sort by -_time | convert timeformat="%d/%m/%Y %I:%M:%S %p" ctime(_time) | table _time, sender, recipient, message_subject, DLM | rename sender as Sender, recipient as Recipient, _time as Time, message_subject as Subject

Re: I'm trying to perform a subsearch on lookup table and extract two fields using a or statement

somesoni2 — Thu, 11 Aug 2016 16:30:24 GMT

Try like this

index=msexchange sourcetype="MSExchange:2010:MessageTracking"  [| inputlookup Finance_Users.csv | eval recipients = mail | eval sender = mail | fields recipients, sender | format "(" "" "OR" "" "OR" ")" ] | dedup message_id | eval DLM = coalesce(SEC,DLM)  |sort by -_time | convert timeformat="%d/%m/%Y %I:%M:%S %p" ctime(_time)  | table _time, sender, recipient, message_subject, DLM | rename sender as Sender, recipient as Recipient, _time as Time, message_subject as Subject

Re: I'm trying to perform a subsearch on lookup table and extract two fields using a or statement

dkorlat — Thu, 11 Aug 2016 23:32:42 GMT

Thanks worked perfectly.