Re: How to pick only non comma (",") rel...

akshayinnamuri · ‎03-07-2022

Hi have a results from my mail index

say log look like below

sender=abc recipient=xyz@sample.com,ghi@nonsample.com country=abc

sender=def recipient=team@nonsample.com country=xyz

sender=gfh recipient=tip@nonsample.com country=efg

sender=abc recipient=none@sample.com,sample@nonsample.com country=pqr

I want to shows in a table only the non comma separated recipients only (as highlighted in bold where there are no multiple recipients)

can some one help me on this

akshayinnamuri · ‎03-08-2022

Thanks all,
above didnt work..
however I tried
| eval recipient=split(recipient,","), rec_count=mvcount(rcpt)
| where rec_count=1
|table ...

and got the result

scelikok · ‎03-07-2022

You can simply filter them by using below;

| search NOT sender=*,*

If this reply helps you an upvote and "Accept as Solution" is appreciated.

ITWhisperer · ‎03-07-2022

I think @scelikok meant

| search NOT recipient=*,*

scelikok · ‎03-08-2022

Yes @ITWhisperer , thank you for correction

If this reply helps you an upvote and "Accept as Solution" is appreciated.

How to pick only non comma (",") related events and show in table?