Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Efficiently Search All Email Logs For Earliest Occurrence of Email Domain

dtaylor
Path Finder
‎08-21-2025 02:32 PM

I'm building out a search to look through email logs. The main search is fine, but I'd like to add fields showing when an email domain was first seen on our network, whether that be yesterday or three years ago.

I was initially considering some kind of sub-search but I'm not sure how much something like that would impact my search time wherein I'm searching through several years of data every time I run the search. The only fields I'd care about are the domain field and the _time field, so I could cut out the rest, but I don't think that'd be enough.

In this instance, would it be better to setup an accelerated data model instead and have it update at an interval(once every four hours, maybe?)? Or some kind of lookup table, perhaps? I also considered summary indexing, but I don't know enough about the specific of that feature set to draw any conclusions.

Just looking to see what my best option is~ I plan to pass this search to SOC analysts to help them search through email, hence it'd be a search run frequently.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dtaylor
Path Finder
‎08-23-2025 12:53 AM

I ended up choosing a little of all options! Created an accelerated data model to gather the data then used tstats in a report to actually process the data. That report uses outputlookup to create a lookup file from the report and is scheduled to run every 15 minutes and update the CSV with new data.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dtaylor
Path Finder
‎08-23-2025 12:53 AM

I ended up choosing a little of all options! Created an accelerated data model to gather the data then used tstats in a report to actually process the data. That report uses outputlookup to create a lookup file from the report and is scheduled to run every 15 minutes and update the CSV with new data.

0 Karma
Reply
Solved! Jump to solution

PrewinThomas
Motivator
‎08-21-2025 09:11 PM

@dtaylor 

I think easiest approach could be use a summary index or a lookup table. 

Eg. for lookup table

index=email
| stats earliest(_time) as first_seen by domain
| outputlookup domain_first_seen.csv

Then in your main search add lookup or use appendcols/join if you are using summary index. 

 

index=email
| lookup domain_first_seen.csv domain OUTPUT first_seen


Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎08-21-2025 07:17 PM

Building a lookup is perhaps the easiest.  Assuming domain is already extracted, you could do

sourcetype = mailstuff domain=* earliest=0
| stats min(_time) as first_seen by domain
| output lookup DomainFirstAppeared

 Of course, you need to define lookup DomainFirstAppeared.

After this, you can add this field first_seen in any search using lookup command, like this

sourcetype = mailstuff
| lookup DomainFirstAppeared domain

 

Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...