I need some assistance with completing some search parameters.
I created a search to correlate emails going in and out of proofpoint according to the messagesessionid using transaction and displaying in a table format. Proofpoint generates multiple events for a single message which requires stitching it all together.
I would like to turn this into a dashboard with two search boxes that would allow me to specify the search parameters for the sender and recipient while still maintaining the correlation using transaction.
Here is my current search:
| transaction messagesessionid
| table from to subject file_name rule action
| fillnull value=n/a
Would I achieve this using tokens? Or how would I go about this?
There are many examples in the Dashboard Examples app. Install it and it will have something almost exactly like what you need (except for the SPL, which you already have): https://splunkbase.splunk.com/app/1603/