Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

generating 5 individual notables events for single search but i need one notable event for all the search results

vikkysplunk
Path Finder
‎05-01-2021 03:15 PM

Hi all,

 

Using the below SPL i have created one new use case for multiple emails sent from external domain. For example if i get 5 results in search it is generating 5 individual notables events but i need one notable event for all the 5 results .. pls could you help me on these

index=msexchange sourcetype=MSExchange*:MessageTracking tag=email action=delivered sender_domain!=@x.x.x recipients!=@x.x.x | stats dc(recipient) as count by sender | search count >=4 | rename count as recipient_count | table sender recipient_count

Search Range 1hr

Cron schedule : */5 * * * *

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-02-2021 02:10 AM

Your count appears to be by sender not sender_domain, could that be why?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-02-2021 02:10 AM

Your count appears to be by sender not sender_domain, could that be why?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...