Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to add more data about emails to search

sulaimancds
Engager
‎02-24-2023 07:30 AM
 

 

 

index=mail 
| lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match 
| where isnull(domain_match) 
| lookup all_email_provider_domains domain AS RecipientDomain output domain as domain_match2 
| where isnotnull(domain_match2) 
| stats values(recipient) as recipient values(subject) as subject earliest(_time) AS "Earliest" latest(_time) AS "Latest" by RecipientDomain sender 
| where mvcount(recipient)=1
| eval subject_count=mvcount(subject)
| sort - subject_count 
| convert ctime("Latest") 
| convert ctime("Earliest")

 

 

i would like to include in the results if there are any attachments in the email, show me the attachment name and size of the attachment in MB/GB.

 

Is this possible ?

 

Adding on ,

also i have list of suspicious keywords to in a list in lookup editor called suspicoussubject_keywords.

 

can you include the query to lookup for this keyword in subject and then display results?

 
Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-24-2023 08:54 AM

This is impossible to answer this question without knowing what is in your data. Splunk only processes the data it gets from the third-party systems. If your data includes info about attachments it will be possible to add that but if it doesn't - where would you get it from?

0 Karma
Reply

sulaimancds
Engager
‎02-24-2023 03:24 PM

Yes understood that, what about suspicious keywords in subject, I already have the wordlist created, in lookup editor, and would like the query to search the suspicious subject and provide the results. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-26-2023 10:50 AM

Well... there are several approaches you can take here - a wildcard lookup, splitting your subject and doing a lookup, generating a set of conditions from a subsearch - each has its pros and cons depending on your particular situation but the question is what are you trying to do? Splunk is _not_ an email filtering solution...

0 Karma
Reply

sulaimancds
Engager
‎02-26-2023 03:43 PM

If the subject has keywords like tender, project, architecture, then those results should be displayed.

 

Please help with command. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-27-2023 01:18 AM

What have you tried so far and what were the results?

Have you tried any of the approaches I mentioned?

0 Karma
Reply

sulaimancds
Engager
‎02-27-2023 01:19 AM

i tried to use lookup editor wordlist , to search but reuslts is 0 , can you helo me .

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...