index=mail
| lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match
| where isnull(domain_match)
| lookup all_email_provider_domains domain AS RecipientDomain output domain as domain_match2
| where isnotnull(domain_match2)
| stats values(recipient) as recipient values(subject) as subject earliest(_time) AS "Earliest" latest(_time) AS "Latest" by RecipientDomain sender
| where mvcount(recipient)=1
| eval subject_count=mvcount(subject)
| sort - subject_count
| convert ctime("Latest")
| convert ctime("Earliest")
i would like to include in the results if there are any attachments in the email, show me the attachment name and size of the attachment in MB/GB.
Is this possible ?
Adding on ,
also i have list of suspicious keywords to in a list in lookup editor called suspicoussubject_keywords.
can you include the query to lookup for this keyword in subject and then display results?
This is impossible to answer this question without knowing what is in your data. Splunk only processes the data it gets from the third-party systems. If your data includes info about attachments it will be possible to add that but if it doesn't - where would you get it from?
Yes understood that, what about suspicious keywords in subject, I already have the wordlist created, in lookup editor, and would like the query to search the suspicious subject and provide the results.
Well... there are several approaches you can take here - a wildcard lookup, splitting your subject and doing a lookup, generating a set of conditions from a subsearch - each has its pros and cons depending on your particular situation but the question is what are you trying to do? Splunk is _not_ an email filtering solution...
If the subject has keywords like tender, project, architecture, then those results should be displayed.
Please help with command.
What have you tried so far and what were the results?
Have you tried any of the approaches I mentioned?
i tried to use lookup editor wordlist , to search but reuslts is 0 , can you helo me .