https://community.splunk.com/t5/Splunk-Search/Compare-if-an-event-in-different-sourcetypes-has-the-same-values/m-p/148333#M41494 <P>Hey Splunkers, </P> <P>We want to track an email communication which is done over multiple servers with multiple log formats. <BR /> We have three fields that must have the same value in an event in both sourcetypes, if this is true we want to mark the email as accepted.</P> <P>The field combination that must match are from, to, subject</P> <P>here is an example:</P> <P>the log event from the anti spam gateway:<BR /> <EM>Oct 1 10:08:05 10.1.8.75 date=2014-10-01 time=10:08:05 device_id=FEVM020000026428 log_id=0200014307 type=statistics pri=information session_id="s91884r7014306-s91884r8014306" client_name="xxx.mail.de [5.123.123.123]" dst_ip="10.1.8.75" **from=<A href="mailto:bla@foo.de" target="_blank">bla@foo.de</A> to=<A href="mailto:test@ymca.de" target="_blank">test@ymca.de</A></EM>* polid="0:1:1" domain="ymca.de" <STRONG>subject="TEST"</STRONG> mailer="mta" resolved="OK" direction="in" virus="" disposition="Accept" classifier="Not Spam" message_length="1697"*</P> <P>the log event from the receiving mail server: <BR /> <EM>[2014-10-01 17:20:21.555] [ 219316 ms] [Snr- 4169584] [connection13] [INFO ] typ="mail statistic" Snr=4169584 **from=<A href="mailto:bla@foo.de" target="_blank">bla@foo.de</A> to=<A href="mailto:test@ymca.de" target="_blank">test@ymca.de</A> subject="TEST"</EM>* disposition=accept direction=in*</P> <P>We need a table with the following values:</P> <P>from to subject AntiSpamOK MailrcvdOK<BR /> <A href="mailto:bla@foo.de" target="_blank">bla@foo.de</A> <A href="mailto:test@ymca.de" target="_blank">test@ymca.de</A> TEST 1 1<BR /> <A href="mailto:mail2@test.de" target="_blank">mail2@test.de</A> <A href="mailto:test@ymca.de" target="_blank">test@ymca.de</A> NOT GOOD 1 0 </P> <P>With that we can filter if a mail is processed or not. for example |where MailrcvdOK=0</P> <P>I have tried the following:</P> <P><STRONG>eventtype="Antispam_Inbound_Mail" |stats count AS AntiSpamOK by from, to, subject | join type=left from to subject [search eventtype="Mailserver_Inbound_Mail" |stats count AS MailrcvdOK by from, to, subject ] |eval MailrcvdOK =if(isnull(MailrcvdOK ),0,MailrcvdOK) |fields from to subject AntiSpamOK, MailrcvdOK</STRONG></P> <P>I have used a left join, because only the mails in the first search must seen definitely on the second one.<BR /><BR /> But with this command I don't see any matching row where AntiSpamOK and MailrcvdOK are both 1.<BR /> I have checked the logs, in both logs are event combination with the same field values. I just don't know how to get it visible. <BR /> I also tried this with the |set intersection command without any success. </P> <P>Is there a better way to do it? Am I wrong with something?</P> <P>Thanks to all</P> Mon, 28 Sep 2020 17:46:21 GMT btiggemann 2020-09-28T17:46:21Z https://community.splunk.com/t5/Splunk-Search/Compare-if-an-event-in-different-sourcetypes-has-the-same-values/m-p/148333#M41494 <P>Hey Splunkers, </P> <P>We want to track an email communication which is done over multiple servers with multiple log formats. <BR /> We have three fields that must have the same value in an event in both sourcetypes, if this is true we want to mark the email as accepted.</P> <P>The field combination that must match are from, to, subject</P> <P>here is an example:</P> <P>the log event from the anti spam gateway:<BR /> <EM>Oct 1 10:08:05 10.1.8.75 date=2014-10-01 time=10:08:05 device_id=FEVM020000026428 log_id=0200014307 type=statistics pri=information session_id="s91884r7014306-s91884r8014306" client_name="xxx.mail.de [5.123.123.123]" dst_ip="10.1.8.75" **from=<A href="mailto:bla@foo.de" target="_blank">bla@foo.de</A> to=<A href="mailto:test@ymca.de" target="_blank">test@ymca.de</A></EM>* polid="0:1:1" domain="ymca.de" <STRONG>subject="TEST"</STRONG> mailer="mta" resolved="OK" direction="in" virus="" disposition="Accept" classifier="Not Spam" message_length="1697"*</P> <P>the log event from the receiving mail server: <BR /> <EM>[2014-10-01 17:20:21.555] [ 219316 ms] [Snr- 4169584] [connection13] [INFO ] typ="mail statistic" Snr=4169584 **from=<A href="mailto:bla@foo.de" target="_blank">bla@foo.de</A> to=<A href="mailto:test@ymca.de" target="_blank">test@ymca.de</A> subject="TEST"</EM>* disposition=accept direction=in*</P> <P>We need a table with the following values:</P> <P>from to subject AntiSpamOK MailrcvdOK<BR /> <A href="mailto:bla@foo.de" target="_blank">bla@foo.de</A> <A href="mailto:test@ymca.de" target="_blank">test@ymca.de</A> TEST 1 1<BR /> <A href="mailto:mail2@test.de" target="_blank">mail2@test.de</A> <A href="mailto:test@ymca.de" target="_blank">test@ymca.de</A> NOT GOOD 1 0 </P> <P>With that we can filter if a mail is processed or not. for example |where MailrcvdOK=0</P> <P>I have tried the following:</P> <P><STRONG>eventtype="Antispam_Inbound_Mail" |stats count AS AntiSpamOK by from, to, subject | join type=left from to subject [search eventtype="Mailserver_Inbound_Mail" |stats count AS MailrcvdOK by from, to, subject ] |eval MailrcvdOK =if(isnull(MailrcvdOK ),0,MailrcvdOK) |fields from to subject AntiSpamOK, MailrcvdOK</STRONG></P> <P>I have used a left join, because only the mails in the first search must seen definitely on the second one.<BR /><BR /> But with this command I don't see any matching row where AntiSpamOK and MailrcvdOK are both 1.<BR /> I have checked the logs, in both logs are event combination with the same field values. I just don't know how to get it visible. <BR /> I also tried this with the |set intersection command without any success. </P> <P>Is there a better way to do it? Am I wrong with something?</P> <P>Thanks to all</P> Mon, 28 Sep 2020 17:46:21 GMT https://community.splunk.com/t5/Splunk-Search/Compare-if-an-event-in-different-sourcetypes-has-the-same-values/m-p/148333#M41494 btiggemann 2020-09-28T17:46:21Z https://community.splunk.com/t5/Splunk-Search/Compare-if-an-event-in-different-sourcetypes-has-the-same-values/m-p/148334#M41495 <P>Try this</P> <PRE><CODE>eventtype="Antispam_Inbound_Mail" OR eventtype="Mailserver_Inbound_Mail" | stats count(eventtype="Antispam_Inbound_Mail") as AntiSpamOK count(eventtype="Mailserver_Inbound_Mail") as MailrcvdOK by from to subject </CODE></PRE> <P>This avoids the subsearches, which may be hitting limits and causing the problems. It should also run much faster.</P> Thu, 02 Oct 2014 00:12:55 GMT https://community.splunk.com/t5/Splunk-Search/Compare-if-an-event-in-different-sourcetypes-has-the-same-values/m-p/148334#M41495 lguinn2 2014-10-02T00:12:55Z https://community.splunk.com/t5/Splunk-Search/Compare-if-an-event-in-different-sourcetypes-has-the-same-values/m-p/148335#M41496 <P>Hi Lisa, </P> <P>it looks like this is it. Thanks for your help and giving a good idea. </P> <P>I have adjusted the search to:</P> <PRE><CODE>eventtype="AntiSpam_Inbound_Mail" OR eventtype="Mail_Inbound_Mail" | stats count(eval(eventtype="AntiSpam_Inbound_Mail")) as AntiSpamOK count(eval(eventtype="Mail_Inbound_Mail")) as MailrcvdOK by subject |eval Mailfactor=MailrcvdOK-AntiSpamOK </CODE></PRE> <P>I was wondering why MailrcvdOK and AntiSpamOK are always "0". It is because you have to use an eval in the count() function. </P> <P>Now we have got another problem: </P> <P>Sometimes a mail is processed several times in the log because of a mail loop or queuing error. With that the combination of from to subject can occur 3 time in "AntiSpam_Inbound_Mail" and one time in "Mail_Inbound_Mail". </P> <P>For example: </P> <P>from to subject AntiSpamOK MailrcvdOK<BR /> <A href="mailto:bla@foo.de" target="_blank">bla@foo.de</A> <A href="mailto:test@ymca.de" target="_blank">test@ymca.de</A> TEST 3 1<BR /> <A href="mailto:bla1@foo.de" target="_blank">bla1@foo.de</A> <A href="mailto:tes1t@ymca.de" target="_blank">tes1t@ymca.de</A> TEST 7 1</P> <P>With your search we are not able to see that reprocessed mails. <BR /> Is there a chance to track this, too?</P> <P>Thanks for your help again. </P> Mon, 28 Sep 2020 17:47:22 GMT https://community.splunk.com/t5/Splunk-Search/Compare-if-an-event-in-different-sourcetypes-has-the-same-values/m-p/148335#M41496 btiggemann 2020-09-28T17:47:22Z https://community.splunk.com/t5/Splunk-Search/Compare-if-an-event-in-different-sourcetypes-has-the-same-values/m-p/148336#M41497 <P>We fixed it using eventstats instead of stats... At the end it was very easy...</P> Wed, 08 Oct 2014 23:41:41 GMT https://community.splunk.com/t5/Splunk-Search/Compare-if-an-event-in-different-sourcetypes-has-the-same-values/m-p/148336#M41497 btiggemann 2014-10-08T23:41:41Z