Splunk Search

How to display only subsets of data from correlated sendmail log transactions?

mailwimp
Engager

The sender and recipient information  I need from Unix/Linux "sendmail" logs is contained in separate lines in the sendmail log.  I am able to correlate all the entries for a given email using nested search, dedup, and transation using the following search:

     index="sendmail_logs" host=relay* [search index="sendmail_logs" host=relay* from=\<*@example.com\> | dedup qid | fields qid ] | transaction fields=qid maxspan=1m

which produces the following (simplified and obfuscated):

2023-01-26T23:37:25+00:00 relay1 sendmail[115877]: 30QNbOpD115877: milter=ourmiltname, action=mail, continue
2023-01-26T23:37:25+00:00 relay1 sendmail[115877]: 30QNbOpD115877: milter=ourmiltname, action=rcpt, continue
2023-01-26T23:37:25+00:00 relay1 sendmail[115877]: 30QNbOpD115877: milter=ourmiltname, action=data, continue
2023-01-26T23:37:25+00:00 relay1 sendmail[115877]: 30QNbOpD115877: from=<bounce+e1165d.ef30-username=ourdomain.com@example.com>, size=25677, class=0, nrcpts=1, msgid=<20230126233721.b60dfcd8b6c1249b@example.com>, bodytype=8BITMIME, proto=ESMTPS, daemon=MTA, tls_verify=NO, auth=NONE, relay=m194-164.mailgun.net [161.38.194.164]
2023-01-26T23:37:26+00:00 relay1 sendmail[115877]: 30QNbOpD115877: milter add: header: X-NUNYA-SPF-Record: v=spf1 include:mailgun.org include:_spf.smtp.com ~all
2023-01-26T23:37:26+00:00 relay1 sendmail[115877]: 30QNbOpD115877: milter change: header Subject: from Sample Subject Line to EXTERNAL: Sample Subject Line
2023-01-26T23:37:26+00:00 relay1 sendmail[115877]: 30QNbOpD115877: milter=ourmiltname, action=eoh, continue
2023-01-26T23:37:27+00:00 relay1 sendmail[115887]: 30QNbOpD115877: to=<username@ourdomain.com>, delay=00:00:02, xdelay=00:00:01, mailer=smtp, tls_verify=OK, pri=145677, relay=nexthop.ourdomain.com. [192.168.0.7], dsn=2.0.0, stat=Sent (30QNbQau230876 Message accepted for delivery)
2023-01-26T23:37:27+00:00 relay1 sendmail[115887]: 30QNbOpD115877: done; delay=00:00:02, ntries=

Now, what I want to do is reduce the output to only the lines that contain the strings "from=" OR "to=".   I am new to splunk, so i tried adding adding

          |  regex _raw="from\=\<|to\=\<"

but all the lines are still displayed.   Suggestions on how to correct my query?

Labels (4)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

Do you mean

index="sendmail_logs" host=relay* (TERM(from=) OR TERM(to=))
    [ search index="sendmail_logs" host=relay* from=\<*@example.com\> | dedup qid | fields qid ]
| transaction fields=qid maxspan=1m

View solution in original post

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Do you mean

index="sendmail_logs" host=relay* (TERM(from=) OR TERM(to=))
    [ search index="sendmail_logs" host=relay* from=\<*@example.com\> | dedup qid | fields qid ]
| transaction fields=qid maxspan=1m
0 Karma

mailwimp
Engager

@yuanliu     Your solution wass very close - and got me pointed in right direction that solved my issue  and provided the results I needed .    Needed to add quotation marks around the TERM searches  so that query would work  ;  i.e. :

        (TERM("from=") OR TERM("to="))        

 

0 Karma

mailwimp
Engager

Tried that, but by I need to query against a specific sending domain and need the complete set of data on the "from=" and "to=" lines to be able to provide transaction tracking data to an info security team member that needs it as part of his investigation.

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @mailwimp,

If you need only from and to fields, you can try below;

index="sendmail_logs" host=relay* 
| stats values(from) as from values(to) as to by qid
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...