topic Re: csvfile search in values in Splunk Search

csvfile search in values

shrinivaskittur — Tue, 11 Jan 2022 11:18:30 GMT

Hi,

I have csv file containing emailID and domain and I would like to search the email exchanges between these two(emaild and domain)

Csv file looks like below

emailID domain

test1@company.com abc.com

test2@company.com xyz.com

test3@company.com some.com

so on ..........

based on the above I need to check how many time the emails exchanged between emailID and domain, I tried with below query but unable to get the result

Re: csvfile search in values

richgalloway — Tue, 11 Jan 2022 13:18:57 GMT

The current query looks for two literal strings in the Sender and Rcpt fields, which explains why you don't get the expected results. See if this helps.

Re: csvfile search in values

shrinivaskittur — Tue, 11 Jan 2022 13:59:24 GMT

Thank you for your reply, the suggested query is not giving me any outputs. If I select any one field I get one side result but when I select both fields "| fields email domain" then I won't get any result.

I want to achieve if any "EmailID" (listed in CSV) sends an email to any of the "domain"(listed in CSV) and vice versa should be shown in the search result.

Re: csvfile search in values

ITWhisperer — Tue, 11 Jan 2022 14:20:38 GMT

Re: csvfile search in values

shrinivaskittur — Tue, 11 Jan 2022 19:05:13 GMT

No Output from this query

Re: csvfile search in values

shrinivaskittur — Thu, 13 Jan 2022 06:15:04 GMT

Hi,

Please help me to get the correct query for my search.

Re: csvfile search in values

ITWhisperer — Thu, 13 Jan 2022 07:56:37 GMT

Sorry, there was a typo - try this

Re: csvfile search in values

shrinivaskittur — Mon, 17 Jan 2022 05:40:36 GMT

Hi,

Still the same, result is blank.

Re: csvfile search in values

ITWhisperer — Mon, 17 Jan 2022 07:48:46 GMT

Perhaps there is a mismatch between your indexed data and your csv file, for example, space padding, case, etc. Have you tried using one of the values from the csv to see if you get any results

your search ... domain="*@abc.com"

Re: csvfile search in values

shrinivaskittur — Mon, 17 Jan 2022 07:59:17 GMT

Hi,

I have already did this testing, I have taken sender and recipient from the recent logs and did the search using the same query but still not getting the result.

As said, I need both fields from csv to be matched in search (sender and recipient) for example.

if sender A sends email to recipient B and also if recipient B replies emails to sender B, in both case I should get the result . sender A & B are in csv should match.

Re: csvfile search in values

ITWhisperer — Mon, 17 Jan 2022 08:07:26 GMT

Can you share your full search and some anonymised sample events?