Splunk Search

Excluding internal to addresses from the from field using regex

emcglade
Engager

I am trying to create a dash which uses  tokens for different clients capturing any attachments sent externally. 

 

I have extracted the domain name from my search using regex so I can then exclude the internal "to" address  so that all emails being recorded are external. 
The exclusion is where I am getting stuck if anyone has any ideas?

 

index=test  sourcetype="messagetracker" attachments=true
client_code=$client$
| eval timestamp=strftime(_time, "%m-%d-%Y %H:%M:%S")
| rename fromEnv.emailAddress as from_envelope_address, fromHdr.emailAddress as from_header_address, from.displayableName as from_displayname, fromHdr.displayableName as from_header_displayname, to.displayableName as to_displayname, to{}.displayableName as to_array_displayname, from.emailAddress as from_address, fromHeader.emailAddress as from_header2_address, to.emailAddress as to_address, to{}.emailAddress as to_array_address
| search from_envelope_address=*
| rename to_array_address as to
| rename from_envelope_address as from
|search to="***" from="***"
| rex field=from "\@(?<domain>[^ ]*)"
|search NOT (to in domain)
| dedup from,to, subject, status, info, route
| fillnull value="n/a" from_header_address
| table timestamp, from, to,domain, attachments, status, info, route, spamScore, client_code

Labels (2)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

Instead of looking for to in domain, look for domain in to.  One way to do this is to convert multivalue to into a plain string:

 

| eval to = mvjoin(to, ",")
| where NOT match(to, "^[^,]+@".domain."$")

 

Given composite dataset

domainfrom
to
abc.combody@abc.com
body@abc.com
body@bcd.com
body@cde.com
abc.combody@abc.combody@abc.com
abc.combody@abc.com
body@def.com
body@efg.com
abc.combody@abc.com
body@fghcom
body@abc.com

output  is

domainfromto
abc.combody@abc.combody@abc.com,body@bcd.com,body@cde.com
abc.combody@abc.combody@def.com,body@efg.com
abc.combody@abc.combody@fgh.com,body@abc.com

 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...