Splunk Search
Highlighted

How do I count the results I'm getting?

Path Finder

When I do this search, I get 17 results back:

index=hubtracking | where like(sender_address, "%@gmail.com")

I want to put this into a field, that counts the number of emails coming from gmail.com. So I try to do this:

index=hubtracking | stats count(where like(sender_address, "%@gmail.com")) as GmailCount

But the above search returns 0 results! What am I doing wrong?

Ultimately, what I want to do is have a count of the number of emails coming from or going to gmail.com (by request from our IT Security Department). I would think that I do this...am I on the right track? Please help.

index=hubtracking | stats count(where like(sender_address, "%@gmail.com") OR like(recipient_address) as GmailCount
Tags (2)
Highlighted

Re: How do I count the results I'm getting?

SplunkTrust
SplunkTrust

the where command may be overkill here, since you can simply do:

1) index=hubtracking sender_address="*@gmail.com"

which has 17 results, or:

2) index=hubtracking sender_address="*@gmail.com" | stats count

which has only 1 result, with a count field, whose value is 17

3) You probably want to extract the email domain as it's own field though, either with a field extraction or simply with the rex command.

Here's a quick example using the rex command to extract an email_domain field from the sender_address field. With that field I then build a simple report of all the outside domains.:

index=hubtracking NOT send_address="*@actualcompany.com"
| rex field=sender_address"(?<email_username>[^@]+)?@(?<email_domain>.+)"` 
| stats count by email_domain

http://www.splunk.com/base/Documentation/latest/Knowledge/Addfieldsatsearchtime

http://www.splunk.com/base/Documentation/latest/SearchReference/Stats

View solution in original post

Highlighted

Re: How do I count the results I'm getting?

Path Finder

Great thanks, this helped me to figure out:
rex field=senderaddress ".[^@]+?@(?<senderdomain>.+)"

Which allows me to do further filtering on just the information I needed in that field.

0 Karma