All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to define minimum number of field values per event?

evallja
Path Finder
‎08-08-2022 12:43 PM

Hello everyone,

I have built a search that returns the email sender address as sender, its recipients list as recipient, and the number of emails received. One event looks like this:

sender                                                                        recipient                 nr of emails sent
user.sender@outsidecompany.com user1@company.com 16
                                                                          user2@company.com
                                                                         user3@company.com
                                                                         user4@company.com
                                                                         user5@company.com
                                                                         user6@company.com
                                                                         user7@company.com

I want to define the recipient field values to be 10 recipients or more because let's say I'm not interested to see outside emails from a sender that has sent an email to less than 10 people inside company.com.

Do you have any idea?

Best regards.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-08-2022 12:53 PM

Add this to your current search

| where mvcount(recipient)>=10

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-08-2022 12:53 PM

Add this to your current search

| where mvcount(recipient)>=10
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...