Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I show o365 email logs in a table?

sulaimancds
Engager
‎03-12-2023 08:35 PM

{"Organization": "groupxyz.onmicrosoft.com", "MessageId": "<12345678>", "Received": "2023-03-13T01:56:22.9207071", "SenderAddress": "bca@bca.com", "RecipientAddress": "dlf@g.com", "Subject": "12312312332231'", "Status": "Delivered", "ToIP": "111.1.11.1", "FromIP": "12.23.4.2.23232", "Size": 2022121 "MessageTraceId": "4f74644747749djhrhfbf", "Index": 0}

 

hi this is my raw data; how can i show it in a table in a nice format?

index=mail , and please help

RecipientDomain

sender

recipient

subject

Earliest

Latest

  

 

 

Labels (3)
Tags (1)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-12-2023 08:50 PM

Where do you want earliest and latest to come from?

Add this to your search

| spath
| rex field=RecipientAddress "(?<recipient>[^@]*)@(?<RecipientDomain>.*)"
| rex field=SenderAddress "(?<sender>[^@]*)"
| table RecipientDomain sender recipient Subject Earliest Latest
0 Karma
Reply

sulaimancds
Engager
‎03-12-2023 09:00 PM

sorry changed the table to Received. 

this is the raw log 

Received2023-03-13T02:56:22.5381743

 

 

0 Karma
Reply

sulaimancds
Engager
‎03-12-2023 09:08 PM

i need the full recipient email and sender email to be shown  in the table

only recipient domain will show the domain like google.com, yahoo.com

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-12-2023 10:26 PM

Then just change the table command to this and remove the second rex statement as it's not needed.

| table RecipientDomain SenderAddress RecipientAddress Subject Received

Use rename to rename the fields as you want them

0 Karma
Reply

sulaimancds
Engager
‎03-15-2023 11:29 PM

hi i need to match those sender domain = gmail.com

 

can you help me with the query ?

 

index=mail 
| dedup MessageTraceId
| rex field=SenderAddress "(?<Sender>[^@]*)@(?<SenderDomain>.*)"
| where SenderDomain == gmail.com
| table SenderDomain SenderAddress RecipientAddress Subject Earliest Latest

 

the 4th line does not work . please help

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-16-2023 06:02 PM

Quote the string you are trying to match in the where clause

| where SenderDomain = "gmail.com"
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...