I am trying to write a splunk query to detect blocked emails from same sender for a particular subject line and and allowed emails for same sender with different subject line or recipient group.
Recepient : firstname.lastname@example.org
Subject : Subject1
Action : Blocked
Recepient: email@example.com or firstname.lastname@example.org
Subject : Subject2
Action : Allowed
Any ideas will be appreciated
Hi, Mail log is multiline. Is there the queue as a key? so
| stats values(*) as * by queue
| search Action=Block
how about it?
Assuming you have a field Action and sender, try this,
"your base search" (Action="Blocked" OR Action="Allowed")
|stats values(Action) as Actions,values(other_fields) as other_fields by sender | where mvcount(Actions) > 1
where other_fields are your other fields you want in result