Splunk Search

Excluding internal to addresses from the from field using regex

emcglade
Engager

I am trying to create a dash which uses  tokens for different clients capturing any attachments sent externally. 

 

I have extracted the domain name from my search using regex so I can then exclude the internal "to" address  so that all emails being recorded are external. 
The exclusion is where I am getting stuck if anyone has any ideas?

 

index=test  sourcetype="messagetracker" attachments=true
client_code=$client$
| eval timestamp=strftime(_time, "%m-%d-%Y %H:%M:%S")
| rename fromEnv.emailAddress as from_envelope_address, fromHdr.emailAddress as from_header_address, from.displayableName as from_displayname, fromHdr.displayableName as from_header_displayname, to.displayableName as to_displayname, to{}.displayableName as to_array_displayname, from.emailAddress as from_address, fromHeader.emailAddress as from_header2_address, to.emailAddress as to_address, to{}.emailAddress as to_array_address
| search from_envelope_address=*
| rename to_array_address as to
| rename from_envelope_address as from
|search to="***" from="***"
| rex field=from "\@(?<domain>[^ ]*)"
|search NOT (to in domain)
| dedup from,to, subject, status, info, route
| fillnull value="n/a" from_header_address
| table timestamp, from, to,domain, attachments, status, info, route, spamScore, client_code

Labels (2)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

Instead of looking for to in domain, look for domain in to.  One way to do this is to convert multivalue to into a plain string:

 

| eval to = mvjoin(to, ",")
| where NOT match(to, "^[^,]+@".domain."$")

 

Given composite dataset

domainfrom
to
abc.combody@abc.com
body@abc.com
body@bcd.com
body@cde.com
abc.combody@abc.combody@abc.com
abc.combody@abc.com
body@def.com
body@efg.com
abc.combody@abc.com
body@fghcom
body@abc.com

output  is

domainfromto
abc.combody@abc.combody@abc.com,body@bcd.com,body@cde.com
abc.combody@abc.combody@def.com,body@efg.com
abc.combody@abc.combody@fgh.com,body@abc.com

 

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...