topic Re: Count of distinct values for emails in Splunk Search

Count of distinct values for emails

hattrells — Tue, 26 Nov 2019 01:28:40 GMT

I have events coming in from an email spam appliance and would like to have an alert on spam campaigns with a unique sender,subject or content if they exceed a certain number (e.g. 50)

I'm scratching my head trying to create a search to get a count of events with common value for the subject field as a start.

index="mail" | stats dc(subject) as subjectcount | where subjectcount > 50

Re: Count of distinct values for emails

woodcock — Tue, 26 Nov 2019 05:31:16 GMT

Like this:

index="mail" 
| stats count dc(recipient) BY subject
| where count > 50

Re: Count of distinct values for emails

hattrells — Tue, 26 Nov 2019 05:37:34 GMT

This was incredibly easy in the end.... your answer is pretty much what I was trying to get to, only I didn't want to see the count per recipient, only the overall count of distinct subject headers so:

index="mail" | stats count by subject | search count>50

Added an alert which is only triggered when the count is greater than 50 🙂

Re: Count of distinct values for emails

woodcock — Tue, 26 Nov 2019 16:39:10 GMT

I try to add a little bonus value where I can; sometimes I am off the mark.