Splunk Search
Highlighted

How to generate a search to sort based on domain names and count the number of emails from the domain?

Explorer

i have a search with multiple domains in the email address , i need to sort it based on domain names and number of emails from the domain . here is the output from from which i need to sort

source email id , destination email id , email subject . 

count emails based on domain of the source email

0 Karma
Highlighted

Re: How to generate a search to sort based on domain names and count the number of emails from the domain?

Builder

have you created the field extractions for your data?

0 Karma
Highlighted

Re: How to generate a search to sort based on domain names and count the number of emails from the domain?

Communicator

can you post your existing spl ?

0 Karma
Highlighted

Re: How to generate a search to sort based on domain names and count the number of emails from the domain?

SplunkTrust
SplunkTrust
(your base search that results in one record per email with source, dest and subject...) 
| table EmailSource EmailDest EmailSubject
| rex field=EmailSource "[^@]*@(?<DomainSource>.*)"
| fillnull DomainSource value="((Domain not found))"
| eventstats count as DomainCount by DomainSource
| sort 0 -DomainCount DomainSource EmailSource
| table DomainSource DomainCount EmailSource EmailDest EmailSubject

Ans a run-anywhere search with some test data to prove out the above code...

| makeresults 
| eval mydata="junkemail,dest1@dest.com,Test Bad Email!!!!bill2@gates.com,dest2@dest2.com,Pay Me Now!!!!bill1@gates.com,dest3@dest2.com,Pay Me Now!!!!bill1@gates.com,dest4@dest4.com,Pay Me Now Or Else!!!!steve@apple.com,everybody@world.com,I Am Risen Because It's Cool" 
| makemv delim="!!!!" mydata 
| mvexpand mydata 
| makemv delim="," mydata
| eval EmailSource=mvindex(mydata,0),  EmailDest=mvindex(mydata,1), EmailSubject=mvindex(mydata,2)
| table EmailSource EmailDest EmailSubject

View solution in original post

0 Karma
Highlighted

Re: How to generate a search to sort based on domain names and count the number of emails from the domain?

Explorer

this is awesome thanks a lot

0 Karma