Solved: Filter sender email which not contains specific su... - Splunk Community

Splunk Search

Dear all,

I try to filter sender email which not contains specific 3 subdomains and domain.

For example:

sender:

user1@aaa.domain.com

user2@bbb.domain.com

user355@ccc.domain.com

userxxx@gmail.com

useryyy@top.domain2.com

i want just display with stats sender userxxx@gmail.comand user useryyy@top.domain2.com

I try to add

index = * sourcetype="cisco:esa:textmail" OR sourcetype=MSExchange* | eventstats values(src) AS cs_ip BY icid
[...} where mvcount(recipient) > 5 and sender !="[\w][\w\-\.]+@(?domain.com)"

or using this:

| rex field=sender "[\w][\w\-\.]+@(?<domain>\w[\w\-\.]+[a-zA-Z]{2,5})"
| stats sum(count) as count by domain_detected
| eval domain_detected=mvfilter(domain_detected!="*.domain.com")

without success

1 Solution

Solution

index = * sourcetype="cisco:esa:textmail" OR sourcetype=MSExchange* | eventstats values(src) AS cs_ip BY icid
[...} where mvcount(recipient) > 5 AND NOT match(sender, "\w[\w\-\.]+@\w+\.domain\.com$")

View solution in original post

Solution

index = * sourcetype="cisco:esa:textmail" OR sourcetype=MSExchange* | eventstats values(src) AS cs_ip BY icid
[...} where mvcount(recipient) > 5 AND NOT match(sender, "\w[\w\-\.]+@\w+\.domain\.com$")

Thank you . Works like a charm

Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community, What’s the best part of hearing how our customers use Splunk? Easy: the positive ...