Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to combine two query into one?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to combine two searches into one?
sulaimancds
Engager
03-08-2023
10:42 PM
1st query
index=mail NOT [ | inputlookup suspicoussubject_keywords.csv | rename keyword AS query | fields query ]
| lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match
| where isnull(domain_match)
| lookup all_email_provider_domains domain AS RecipientDomain output domain as domain_match2
| where isnotnull(domain_match2)
| stats values(recipient) as recipient values(subject) as subject earliest(_time) AS "Earliest" latest(_time) AS "Latest" by RecipientDomain sender
| where mvcount(recipient)=1
| eval subject_count=mvcount(subject)
| sort - subject_count
| convert ctime("Latest")
| convert ctime("Earliest")
2nd query
index=o365
| dedup Id
| rename _time as DateTime, PolicyDetails{}.PolicyName as PolicyName, PolicyDetails{}.Rules{}.RuleName as RuleName, ExchangeMetaData.UniqueID as UniqueID, ExchangeMetaData.Subject as Subject, ExchangeMetaData.From as Sender, ExchangeMetaData.To{} as Recipient, ExchangeMetaData.CC{} as CC, ExchangeMetaData.BCC{} as BCC, ExchangeMetaData.RecipientCount as RecipientCount, PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.Count as SensitiveInformationCount, PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.SensitiveInformationDetections.DetectedValues{}.Name as PIIName, PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.SensitiveInformationDetections.DetectedValues{}.Value as PIIValue, PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.Location as Location
| dedup UniqueID
| rex field=Recipient "@(?<domain>.*$)"
| rex field=CC "@(?<domain>.*$)"
| rex field=BCC "@(?<domain>.*$)"
| eval domain=lower(domain)
| lookup email_domain_whitelist domain output domain as domain_match
| where isnull(domain_match)
| stats values(Recipient) values(CC) values(BCC) values(domain) Count sum(SensitiveInformationCount) by PolicyName Subject Sender
| sort +values(domain)
hi i would like to combine the first query into the second query , but the second query only shows those matching the policy , other than that it does not show. i want to show those matching the policy and if does not match also , please show it, but policy field will be empty. please advise. index will be o365.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sulaimancds
Engager
03-10-2023
02:45 AM
Please help
Get Updates on the Splunk Community!
[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events
This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
🚀 Your data just got a serious AI upgrade — are you ready?
Say hello to the Agentic Era with the ...
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
