https://community.splunk.com/t5/Splunk-Search/How-to-search-email-logs-for-potential-SPAM-IOC-via-character/m-p/238451#M70838 <P>As a further refinement to this, is it possible in Splunk to weight evals, such as if a user sends or receives an email with a Subject over 200 characters in length, a weight or rating of 5 is assigned, if the recipient list is greater than 10 people a weight or rating of 5 is assigned, and so on so users with a higher weight/rating bubble up to the top of the report.</P> <P>Thx</P> Wed, 06 Jul 2016 14:26:17 GMT jwalzerpitt 2016-07-06T14:26:17Z https://community.splunk.com/t5/Splunk-Search/How-to-search-email-logs-for-potential-SPAM-IOC-via-character/m-p/238450#M70837 <P>We are ingesting some of our email logs, and one of the fields is 'Subject'. </P> <P>I was wondering if anyone has created a search that looks for potential SPAM IOC via the following methods:</P> <P>1) Character count - I'd like to create a search that creates buckets that shows a count of Subject length of 1-10, 11-20, 21-30, etc) <BR /> 2) Number of special characters in the Subject field - once again create a search for the count of buckets from 1-3, 4-6, etc., or even the number of special characters in a row, such as two or ,more (!!, !!!, etc.).</P> <P>Not limited to those two ideas of course, but would appreciate any feedback.</P> <P>Thx</P> Wed, 06 Jul 2016 13:57:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-email-logs-for-potential-SPAM-IOC-via-character/m-p/238450#M70837 jwalzerpitt 2016-07-06T13:57:31Z https://community.splunk.com/t5/Splunk-Search/How-to-search-email-logs-for-potential-SPAM-IOC-via-character/m-p/238451#M70838 <P>As a further refinement to this, is it possible in Splunk to weight evals, such as if a user sends or receives an email with a Subject over 200 characters in length, a weight or rating of 5 is assigned, if the recipient list is greater than 10 people a weight or rating of 5 is assigned, and so on so users with a higher weight/rating bubble up to the top of the report.</P> <P>Thx</P> Wed, 06 Jul 2016 14:26:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-email-logs-for-potential-SPAM-IOC-via-character/m-p/238451#M70838 jwalzerpitt 2016-07-06T14:26:17Z https://community.splunk.com/t5/Splunk-Search/How-to-search-email-logs-for-potential-SPAM-IOC-via-character/m-p/238452#M70839 <P>Are you looking for how to implement your ideas or confirmation on your ideas as appropriate for helping find spam?</P> Wed, 06 Jul 2016 16:17:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-email-logs-for-potential-SPAM-IOC-via-character/m-p/238452#M70839 woodcock 2016-07-06T16:17:42Z https://community.splunk.com/t5/Splunk-Search/How-to-search-email-logs-for-potential-SPAM-IOC-via-character/m-p/238453#M70840 <P>Looking for ideas on how to implement if possible (as I would think others have tackled this before)</P> <P>Thx</P> Wed, 06 Jul 2016 16:36:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-email-logs-for-potential-SPAM-IOC-via-character/m-p/238453#M70840 jwalzerpitt 2016-07-06T16:36:57Z https://community.splunk.com/t5/Splunk-Search/How-to-search-email-logs-for-potential-SPAM-IOC-via-character/m-p/238454#M70841 <P>1: Like this:</P> <PRE><CODE>... | eval SubjectLen=length(Subject) | bucket SubjectLen span=10 </CODE></PRE> <P>2: Like this:</P> <PRE><CODE>... | eval SubjectLen=length(Subject) | eval SubjectCopy=Subject | rex field=SubjectCopy mode=sed "s/[ListOfSpecialCharactersHere]//g" | eval specialCharCount = SubjectLen - length(SubjectCopy) | field - SubjectCopy </CODE></PRE> Wed, 06 Jul 2016 19:31:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-email-logs-for-potential-SPAM-IOC-via-character/m-p/238454#M70841 woodcock 2016-07-06T19:31:56Z