Hot to group message events of Cisco ESA by two or...

makitos666 · ‎06-18-2019

I want to group all the events generated by an email generated by cisco_esa.

A query that I usually make is the following:

index="cisco_esa" mid="111351394" host="10.1.1.1"| stats list(_raw) AS events BY mid

The question is that I group the events by MID, but it is not a common element, in fact there is no field in common between ALL the events of an email.

Most events have MID, some only have ICID or DICID, and there are some that contain MID and DCID or ICID. These last ones are used to group all the events of a single mail for their ICID and MID.

I have made the following consults to get the MID, ICID and host of each message by its source IP (dest)

index="cisco_esa" 
    [search index="cisco_esa"
        [search index="cisco_esa" 
            [search index="cisco_esa" dest=* protocol=SMTP | where isnotnull(icid) | table ICID,host]
        | where isnotnull(MID) | stats list(_raw) AS events by icid,host,MID | return 10000 $MID $icid] 
    | table icid,MID,host]
| table icid,MID,host | dedup icid,MID,host

Do you know how I could, with a single search, show ALL the events related to a mail message?

Hot to group message events of Cisco ESA by two or more fields

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Hot to group message events of Cisco ESA by two or more fields

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem