Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Get percentage of eval case fields
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JordanPeterson
Path Finder
09-15-2017
04:38 PM
I'm looking at a specific email recipient. I want to see the percentage of emails they receive from specific senders. I think my current query gets all the fields I need but I'm having trouble breaking the results down to stats by month. Here is my current query:
index=msexchange (recipients="user@domain.org") eventtype="smtp-mail"
| eval sender_username=lower(sender_username)
| eval valid_sender=case(
sender_username=="mailer-daemon" OR sender_username=="postmaster","Bounceback",
sender_username!="mailer-daemon" OR sender_username!="postmaster","Valid")
| eval Month=strftime(_time,"%b")
Now what I would like to do is get a total count of emails sent to the recipient each month and another column that states the percentage of those emails per month where valid_sender="Bounceback"
The end results would hopefully look something like this:
| Recipient | Month | Count | Bounceback% |
| user@domain.org | May | 500 | 25% |
| user@domain.org | June | 1000 | 30% |
| user@domain.org | July | 750 | 20% |
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
09-15-2017
06:12 PM
Like this:
index=msexchange (recipients="user@domain.org") eventtype="smtp-mail"
| eval sender_username=lower(sender_username)
| eval type= if(sender_username=="mailer-daemon" OR sender_username=="postmaster"), "Bounceback", "Valid")
| bucket _time span=1mon
| top type BY Recipient _time
| eventstats sum(count) AS count BY Recipient _time
| search type="Bounceback"
| rename percent AS "Bounceback %"
| eval Month = strftime(_time, "%B")
| table Recipient Month count Bounceback*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-18-2017
11:31 AM
Give this a try as well
index=msexchange (recipients="user@domain.org") eventtype="smtp-mail"
| eval sender_username=lower(sender_username)
| eval Bounceback= if(sender_username=="mailer-daemon" OR sender_username=="postmaster"), 1,0)
| eval Month = strftime(_time, "%B")
| stats count as Count sum(Bounceback) as Bouceback by Recipient Month
| eval "Bouceback%"=round(Bounceback*100/Count) | fields - Bouceback
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JordanPeterson
Path Finder
09-18-2017
01:23 PM
Both answers worked. @woodcock's appeared to run quicker so I've given him the accept. Thank you for your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lfedak_splunk
Splunk Employee
09-18-2017
11:07 AM
Hey @JordanPeterson, if @woodcock's solution worked please remember to close the question and award karma points by accepting the answer. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
09-15-2017
06:12 PM
Like this:
index=msexchange (recipients="user@domain.org") eventtype="smtp-mail"
| eval sender_username=lower(sender_username)
| eval type= if(sender_username=="mailer-daemon" OR sender_username=="postmaster"), "Bounceback", "Valid")
| bucket _time span=1mon
| top type BY Recipient _time
| eventstats sum(count) AS count BY Recipient _time
| search type="Bounceback"
| rename percent AS "Bounceback %"
| eval Month = strftime(_time, "%B")
| table Recipient Month count Bounceback*
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Unlock What’s Next: The Splunk Cloud Platform at .conf25
In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...
Index This | How many sevens are there between 1 and 100?
August 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
