topic Re: help with query in Splunk Search

How to add more data about emails to search

sulaimancds — Mon, 27 Feb 2023 09:08:05 GMT

index=mail | lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match | where isnull(domain_match) | lookup all_email_provider_domains domain AS RecipientDomain output domain as domain_match2 | where isnotnull(domain_match2) | stats values(recipient) as recipient values(subject) as subject earliest(_time) AS "Earliest" latest(_time) AS "Latest" by RecipientDomain sender | where mvcount(recipient)=1 | eval subject_count=mvcount(subject) | sort - subject_count | convert ctime("Latest") | convert ctime("Earliest")

i would like to include in the results if there are any attachments in the email, show me the attachment name and size of the attachment in MB/GB.

Is this possible ?

Adding on ,

also i have list of suspicious keywords to in a list in lookup editor called suspicoussubject_keywords.

can you include the query to lookup for this keyword in subject and then display results?

Re: help with query

PickleRick — Fri, 24 Feb 2023 16:54:59 GMT

This is impossible to answer this question without knowing what is in your data. Splunk only processes the data it gets from the third-party systems. If your data includes info about attachments it will be possible to add that but if it doesn't - where would you get it from?

Re: help with query

sulaimancds — Fri, 24 Feb 2023 23:24:54 GMT

Yes understood that, what about suspicious keywords in subject, I already have the wordlist created, in lookup editor, and would like the query to search the suspicious subject and provide the results.

Re: help with query

PickleRick — Sun, 26 Feb 2023 18:50:08 GMT

Well... there are several approaches you can take here - a wildcard lookup, splitting your subject and doing a lookup, generating a set of conditions from a subsearch - each has its pros and cons depending on your particular situation but the question is what are you trying to do? Splunk is _not_ an email filtering solution...

Re: help with query

sulaimancds — Sun, 26 Feb 2023 23:43:26 GMT

If the subject has keywords like tender, project, architecture, then those results should be displayed.

Please help with command.

Re: help with query

PickleRick — Mon, 27 Feb 2023 09:18:11 GMT

What have you tried so far and what were the results?

Have you tried any of the approaches I mentioned?

Re: help with query

sulaimancds — Mon, 27 Feb 2023 09:19:50 GMT

i tried to use lookup editor wordlist , to search but reuslts is 0 , can you helo me .