Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

CISCO ESA - simple search email query (sender, recipient,subject)

corti77
Contributor
‎07-12-2022 02:10 AM

Hi,

I have Splunk 8.1.4 with Splunk Add-on for CISCO ESA 1.5.0. I also have the old  app Cisco Secuirty Suite that even though it does not support Splunk 8.1.4, it shows results so I planned to get inspired by its query for Message tracking--> Transaction details.

 

index=cisco eventtype=cisco-esa | transaction keepevicted=true icid mid | search host="*" sender="*" recipient="*" dest_interface="*" policy_direction="*" subject="*TEST*"

 

I think the ESA events are getting correctly to Splunk, I use Syslog Connector for Splunk. 

The test I performed is the following :

1. send an email from my corporate email to GMAIL with the subject TEST

2. simply reply from gmail.

With the above query I would expect to see two events but I only see the outgoing event.

I tried to filter by recipient and it thrown zero results.

 

index=cisco eventtype=cisco-esa | transaction keepevicted=true icid mid | search host="*" sender="*" recipient="xxxx@yyy.zz" dest_interface="*" policy_direction="*"

 

If I do a simpler query without the transaction command, I can see an event with the right internal recipient which corresponds to the incoming email that I could not find previously. But in that event there is no field subject.

 

index=cisco eventtype=cisco-esa  recipient="xxxx@yyy.zz"

 

Could someone help me out with some query that consolidate inbound /outbound emails with filtering capabilities?

thanks

Labels (1)
Labels
Tags (3)
0 Karma
Reply

corti77
Contributor
‎07-12-2022 03:09 AM

just to clarify a bit more, my final goal is to have a very similar dashboard like the one available for Exchange in ITSI but using only ESA events.

ITSI_track_message.png

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

ATTENTION!! We’re MOVING (not really)

Hey, all! In an effort to keep this Slack workspace secure and also to make our new members' experience easy, ...

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

  Whether you're running a complex Splunk deployment or just getting your bearings as a new admin, .conf25 ...

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...