Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to add more data about emails to search

sulaimancds
Engager
‎02-24-2023 07:30 AM
 

 

 

index=mail 
| lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match 
| where isnull(domain_match) 
| lookup all_email_provider_domains domain AS RecipientDomain output domain as domain_match2 
| where isnotnull(domain_match2) 
| stats values(recipient) as recipient values(subject) as subject earliest(_time) AS "Earliest" latest(_time) AS "Latest" by RecipientDomain sender 
| where mvcount(recipient)=1
| eval subject_count=mvcount(subject)
| sort - subject_count 
| convert ctime("Latest") 
| convert ctime("Earliest")

 

 

i would like to include in the results if there are any attachments in the email, show me the attachment name and size of the attachment in MB/GB.

 

Is this possible ?

 

Adding on ,

also i have list of suspicious keywords to in a list in lookup editor called suspicoussubject_keywords.

 

can you include the query to lookup for this keyword in subject and then display results?

 
Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-24-2023 08:54 AM

This is impossible to answer this question without knowing what is in your data. Splunk only processes the data it gets from the third-party systems. If your data includes info about attachments it will be possible to add that but if it doesn't - where would you get it from?

0 Karma
Reply

sulaimancds
Engager
‎02-24-2023 03:24 PM

Yes understood that, what about suspicious keywords in subject, I already have the wordlist created, in lookup editor, and would like the query to search the suspicious subject and provide the results. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-26-2023 10:50 AM

Well... there are several approaches you can take here - a wildcard lookup, splitting your subject and doing a lookup, generating a set of conditions from a subsearch - each has its pros and cons depending on your particular situation but the question is what are you trying to do? Splunk is _not_ an email filtering solution...

0 Karma
Reply

sulaimancds
Engager
‎02-26-2023 03:43 PM

If the subject has keywords like tender, project, architecture, then those results should be displayed.

 

Please help with command. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-27-2023 01:18 AM

What have you tried so far and what were the results?

Have you tried any of the approaches I mentioned?

0 Karma
Reply

sulaimancds
Engager
‎02-27-2023 01:19 AM

i tried to use lookup editor wordlist , to search but reuslts is 0 , can you helo me .

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...