Display only account that end with @d.com

ajromero · ‎07-06-2020

This search gives me all the data I need, but I would to display only email accounts that end with an specific name for instance I want to display only accounts that end with @d.com

Here is my query:

Here are my results: The only accounts that I want to display are the ones end with @d.com

and as you can see, the search is showing other accounts like this one @ge.com

can someone tell me how to do this?

thanks

richgalloway · ‎07-06-2020

Try replacing

| where recipient<"IID.com"

with

| regex recipient="@d\.com"

---
If this reply helps you, Karma would be appreciated.

ajromero · ‎07-06-2020

Hi,

It didn't work. I want to display only recipients that ends with iid.com only

if you see the picture is mixing other accounts from other domains and I want only to display the accounts with the iid.com

thank you

to4kawa · ‎07-06-2020

| where match(recipient,"(?i)iid.com")

how about this?

ajromero · ‎07-06-2020

awesome , this worked perfect

thanks

but I have another question,

I would like to remove the Email Accounts field that does not have a User Name see below

if that possible

thanks

to4kawa · ‎07-06-2020

| where match(recipient,"(?i)iid.com") AND isstr(src_user_nick)

ajromero · ‎07-06-2020

it worked

thanks

Display only account that end with @d.com

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

Get Schooled with Splunk Education: Explore Our Latest Courses

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL