Solved: How to display only subsets of data from correlate...

mailwimp · ‎01-27-2023

The sender and recipient information I need from Unix/Linux "sendmail" logs is contained in separate lines in the sendmail log. I am able to correlate all the entries for a given email using nested search, dedup, and transation using the following search:

index="sendmail_logs" host=relay* [search index="sendmail_logs" host=relay* from=\<*@example.com\> | dedup qid | fields qid ] | transaction fields=qid maxspan=1m

which produces the following (simplified and obfuscated):

2023-01-26T23:37:25+00:00 relay1 sendmail[115877]: 30QNbOpD115877: milter=ourmiltname, action=mail, continue
2023-01-26T23:37:25+00:00 relay1 sendmail[115877]: 30QNbOpD115877: milter=ourmiltname, action=rcpt, continue
2023-01-26T23:37:25+00:00 relay1 sendmail[115877]: 30QNbOpD115877: milter=ourmiltname, action=data, continue
2023-01-26T23:37:25+00:00 relay1 sendmail[115877]: 30QNbOpD115877: from=<bounce+e1165d.ef30-username=ourdomain.com@example.com>, size=25677, class=0, nrcpts=1, msgid=<20230126233721.b60dfcd8b6c1249b@example.com>, bodytype=8BITMIME, proto=ESMTPS, daemon=MTA, tls_verify=NO, auth=NONE, relay=m194-164.mailgun.net [161.38.194.164]
2023-01-26T23:37:26+00:00 relay1 sendmail[115877]: 30QNbOpD115877: milter add: header: X-NUNYA-SPF-Record: v=spf1 include:mailgun.org include:_spf.smtp.com ~all
2023-01-26T23:37:26+00:00 relay1 sendmail[115877]: 30QNbOpD115877: milter change: header Subject: from Sample Subject Line to EXTERNAL: Sample Subject Line
2023-01-26T23:37:26+00:00 relay1 sendmail[115877]: 30QNbOpD115877: milter=ourmiltname, action=eoh, continue
2023-01-26T23:37:27+00:00 relay1 sendmail[115887]: 30QNbOpD115877: to=<username@ourdomain.com>, delay=00:00:02, xdelay=00:00:01, mailer=smtp, tls_verify=OK, pri=145677, relay=nexthop.ourdomain.com. [192.168.0.7], dsn=2.0.0, stat=Sent (30QNbQau230876 Message accepted for delivery)
2023-01-26T23:37:27+00:00 relay1 sendmail[115887]: 30QNbOpD115877: done; delay=00:00:02, ntries=

Now, what I want to do is reduce the output to only the lines that contain the strings "from=" OR "to=". I am new to splunk, so i tried adding adding

| regex _raw="from\=\<|to\=\<"

but all the lines are still displayed. Suggestions on how to correct my query?

yuanliu · ‎01-28-2023

Do you mean

index="sendmail_logs" host=relay* (TERM(from=) OR TERM(to=))
    [ search index="sendmail_logs" host=relay* from=\<*@example.com\> | dedup qid | fields qid ]
| transaction fields=qid maxspan=1m

View solution in original post

yuanliu · ‎01-28-2023

Do you mean

index="sendmail_logs" host=relay* (TERM(from=) OR TERM(to=))
    [ search index="sendmail_logs" host=relay* from=\<*@example.com\> | dedup qid | fields qid ]
| transaction fields=qid maxspan=1m

mailwimp · ‎01-29-2023

@yuanliu Your solution wass very close - and got me pointed in right direction that solved my issue and provided the results I needed . Needed to add quotation marks around the TERM searches so that query would work ; i.e. :

(TERM("from=") OR TERM("to="))

mailwimp · ‎01-27-2023

Tried that, but by I need to query against a specific sending domain and need the complete set of data on the "from=" and "to=" lines to be able to provide transaction tracking data to an info security team member that needs it as part of his investigation.

scelikok · ‎01-27-2023

Hi @mailwimp,

If you need only from and to fields, you can try below;

index="sendmail_logs" host=relay* 
| stats values(from) as from values(to) as to by qid

If this reply helps you an upvote and "Accept as Solution" is appreciated.

How to display only subsets of data from correlated sendmail log transactions?

fields

regex

subsearch

transaction

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

Elevate Your Organization with Splunk’s Next Platform Evolution

Splunk Answers Content Calendar, June Edition

Are you a member of the Splunk Community?