When I do this search, I get 17 results back:
index=hubtracking | where like(sender_address, "%@gmail.com")
I want to put this into a field, that counts the number of emails coming from gmail.com. So I try to do this:
index=hubtracking | stats count(where like(sender_address, "%@gmail.com")) as GmailCount
But the above search returns 0 results! What am I doing wrong?
Ultimately, what I want to do is have a count of the number of emails coming from or going to gmail.com (by request from our IT Security Department). I would think that I do this...am I on the right track? Please help.
index=hubtracking | stats count(where like(sender_address, "%@gmail.com") OR like(recipient_address) as GmailCount
the where
command may be overkill here, since you can simply do:
1) index=hubtracking sender_address="*@gmail.com"
which has 17 results, or:
2) index=hubtracking sender_address="*@gmail.com" | stats count
which has only 1 result, with a count
field, whose value is 17
3) You probably want to extract the email domain as it's own field though, either with a field extraction or simply with the rex
command.
Here's a quick example using the rex
command to extract an email_domain field from the sender_address field. With that field I then build a simple report of all the outside domains.:
index=hubtracking NOT send_address="*@actualcompany.com"
| rex field=sender_address"(?<email_username>[^@]+)?@(?<email_domain>.+)"`
| stats count by email_domain
http://www.splunk.com/base/Documentation/latest/Knowledge/Addfieldsatsearchtime
http://www.splunk.com/base/Documentation/latest/SearchReference/Stats
the where
command may be overkill here, since you can simply do:
1) index=hubtracking sender_address="*@gmail.com"
which has 17 results, or:
2) index=hubtracking sender_address="*@gmail.com" | stats count
which has only 1 result, with a count
field, whose value is 17
3) You probably want to extract the email domain as it's own field though, either with a field extraction or simply with the rex
command.
Here's a quick example using the rex
command to extract an email_domain field from the sender_address field. With that field I then build a simple report of all the outside domains.:
index=hubtracking NOT send_address="*@actualcompany.com"
| rex field=sender_address"(?<email_username>[^@]+)?@(?<email_domain>.+)"`
| stats count by email_domain
http://www.splunk.com/base/Documentation/latest/Knowledge/Addfieldsatsearchtime
http://www.splunk.com/base/Documentation/latest/SearchReference/Stats
Great thanks, this helped me to figure out:
rex field=sender_address ".[^@]+?@(?
Which allows me to do further filtering on just the information I needed in that field.