Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

email from specific domain

rashid47010
Communicator
‎02-18-2019 05:12 AM

I want to exlude specific domains from both sender and receipient.
for example I have abc.com domain and have one lookup file with legitiamate domain names.
Now I want to see a emails which is not include either as sender or receipient in that lookup file.

OR in simple words how can I compare lookup values againt two fields(sender and receipient)

Tags (1)
0 Karma
Reply

vnravikumar
Champion
‎02-18-2019 06:03 AM

Hi @rashid47010

Try this

| makeresults 
| eval sender="test@test.com" 
| eval receiver="test1@test.com" 
| rex field=sender "@(?P<senderdomain>.*)" 
| lookup domainlookup domain as senderdomain OUTPUT domain as senderflag 
| rex field=receiver "@(?P<receiverdomain>.*)" 
| lookup domainlookup domain as receiverdomain OUTPUT domain as receiverflag 
| where isnull(senderflag) AND isnull(receiverflag)

lookup: domainlookup

domain
abc.com
test.com

0 Karma
Reply

vnravikumar
Champion
‎02-19-2019 06:27 AM

@rashid47010, have you tried?

0 Karma
Reply

vnravikumar
Champion
‎02-21-2019 12:43 AM

Its solved?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...