Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get total of unique senders and recipients from Index=msexchange

tristamaltizo
New Member
‎01-20-2016 08:51 AM

I think I was able to get the total number of unique senders and unique recipients. But, now I need the total of unique communicators (senders + recipients). Looking for formula to add the two numbers.

index=msexchange | stats dc(sender) as Distinct_Sender
index=msexchange | stats dc(recipients) as Distinct_Recipients

Thanks for any help!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎01-20-2016 09:54 AM

Have you tried using eval?

index=msexchange | stats dc(sender) as Distinct_Sender dc(recipients) as Distinct_Recipients | eval Total=Distinct_Sender + Distinct_Recipients

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎01-20-2016 09:54 AM

Have you tried using eval?

index=msexchange | stats dc(sender) as Distinct_Sender dc(recipients) as Distinct_Recipients | eval Total=Distinct_Sender + Distinct_Recipients
0 Karma
Reply
Solved! Jump to solution

tristamaltizo
New Member
‎01-20-2016 11:47 AM

The is what I was looking for....Thanks @jplumsdaine22 !

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎01-20-2016 09:07 AM

What about this?

index=msexchange
| fields _time, sender, recipients
| eval sender_recipient = sender. "<-->" . recipients
| stats dc(sender_recipient) as Distinct_Senders_Recipients

If your recipient field is a multivalued one then the following should work:

index=msexchange
| fields _time, sender, recipients
| mvexpand recipients
| eval sender_recipients = sender. "<-->" . recipients
| stats dc(sender_recipients) as Distinct_Senders_Recipients

The obviously a problem with this. It won't treat as one those conversations where the recipient and the sender are swapped.
If you want to achieve this the following example might help:

index=msexchange
| fields _time, sender, recipients
| mvexpand recipients
| eval conversation=mvjoin(mvsort(mvappend(sender,recipients)), " <--> ")
| stats count by conversation

More details here: https://answers.splunk.com/answers/331939/how-to-search-the-count-of-emails-sent-between-two.html

0 Karma
Reply
Solved! Jump to solution

tristamaltizo
New Member
‎01-20-2016 11:46 AM

This is a search that meets one of the email requirements I'm tasked with even if I wasn't initially asking for it! The second option is what I'm using. Thank you for your input and for the reference link!

0 Karma
Reply
Solved! Jump to solution

tristamaltizo
New Member
‎01-20-2016 01:27 PM

Hi @javiergn

It doesn't look like the mvexpand is separating the email addresses that are semi-colon delimited. So, it's counting the entire multi-value email value for recipients <--> sender pairs. Is there another way?

recipients="user1@co.com;user2@co.com;user3@co.com;user4@co.com;user5@co.com"

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...