Hey All,
I need some assistance with completing some search parameters.
I created a search to correlate emails going in and out of proofpoint according to the message_session_id using transaction and displaying in a table format. Proofpoint generates multiple events for a single message which requires stitching it all together.
I would like to turn this into a dashboard with two search boxes that would allow me to specify the search parameters for the sender and recipient while still maintaining the correlation using transaction.
Here is my current search:
index=proofpoint
| transaction message_session_id
| table from to subject file_name rule action
| fillnull value=n/a
Would I achieve this using tokens? Or how would I go about this?
