topic Re: Format Email Direction and Count in Splunk Search

Format Email Direction and Count

RB5 — Sat, 05 Apr 2014 00:16:07 GMT

Hi, am hoping for help with this. I want to format output as follows:

Domain      OUTBOUND_COUNT   INBOUND_COUNT  
xyz.COM                  24               16

The best I can come up with is via the search below, but it gives:

 DIRECTION      DOMAIN      count  
 INBOUND        xyz.COM     26  
 OUTBOUND       xyz.COM     24 


index=dmzmail sourcetype=sendmail_syslog (process=extin* sender_domain=ml.com) OR (process=extout* recipient_domain=fortis.com) | head 50  | eval DIRECTION = case (direction=="inbound", "INBOUND", direction=="outbound", "OUTBOUND")| eval DOMAIN = case (sender_domain=="xyz.COM", "xyz.COM", recipient_domain=="xyz.COM", "xyz.COM")| stats count by DIRECTION, DOMAIN | table DIRECTION DOMAIN count

Thanks.

Re: Format Email Direction and Count

linu1988 — Sat, 05 Apr 2014 07:09:11 GMT

Instead of table, xyseries will do it.

 index=dmzmail sourcetype=sendmail_syslog (process=extin sender_domain=ml.com) OR (process=extout recipient_domain=fortis.com) | head 50| eval DIRECTION = case direction=="inbound", "INBOUND", direction=="outbound", "OUTBOUND") | eval DOMAIN = case (sender_domain=="xyz.COM", "xyz.COM", recipient_domain=="xyz.COM", "xyz.COM")| stats count by DIRECTION, DOMAIN| stats count by DIRECTION, DOMAIN| xyseries DOMAIN DIRECTION count

Thanks

Re: Format Email Direction and Count

RB5 — Sat, 05 Apr 2014 15:36:28 GMT

Thanks! Sorry, didn't know about the xyseries function, very convenient.

Re: Format Email Direction and Count

linu1988 — Sat, 05 Apr 2014 16:20:48 GMT

If worked please mark it as answer...

Re: Format Email Direction and Count

RB5 — Sat, 05 Apr 2014 16:59:24 GMT

I do not see where I can mark this as being answered. Also, odds are I'll never get this posted as it is impossible to read those dam 'CAPTCHA' phrases. I'm logged in, why don't you let me do a post instead of fighting over those captions. Personal Problem apparently.