Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Filter Email Address Country of Origin Using Lookup

griffins
Explorer
‎07-14-2020 08:46 AM

Assume I have a simple search that lists in a table the email addresses of those who recently sent an email:

index=email | table sender

 The email index does not have a field that identifies the country the sender address is from; however, it is known that the listed sender addresses are from many different countries. If I have a lookup that contains all the email addresses located in the US using the format:

email country
address1@mail.com US
address2@mail.com US
...

 How can I filter my search results to only contain sender email addresses from those located in the US (based off of the lookup), while also adding a field to the table that shows US?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

anilchaithu
Builder
‎07-14-2020 08:56 AM

@griffins 

you can use something simple like this

 

index=email | table sender | lookup lookup_name email as sender output country | dedup country

 

OR you can try with subsearch. Since the query only searches the senders from the lookup you can add country as US

 

index=email [ | inputlookup lookup_name | rename email as sender | table sender | format] | eval country="US" | table sender country

 

 

Hope this helps 

View solution in original post

Reply
Solved! Jump to solution
Solution

anilchaithu
Builder
‎07-14-2020 08:56 AM

@griffins 

you can use something simple like this

 

index=email | table sender | lookup lookup_name email as sender output country | dedup country

 

OR you can try with subsearch. Since the query only searches the senders from the lookup you can add country as US

 

index=email [ | inputlookup lookup_name | rename email as sender | table sender | format] | eval country="US" | table sender country

 

 

Hope this helps 

Reply
Solved! Jump to solution

griffins
Explorer
‎07-14-2020 09:04 AM

@anilchaithu This works great! Thank you so much.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...