Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to query alerts by a specific personal domains?

brc55
Explorer
‎08-04-2020 07:37 AM

Hello,

I'm trying to put a query together to monitor/view emails being sent externally to a personal domain. 

i.e. johnsmith@corporation.com  to john@smith.com  or johnsmith@personalbusiness.com 

I'm not looking for external personal email addresses like johnsmith@gmail  or hotmail.com, etc. Specifically domains that have some correlation to the users name that appear to be a personal domain. 

index=***this is a corp. email index*** (from_domain="corp.com" AND rcpt_domain="??????")

Any help is appreciated! Thanks!

Labels (2)
Labels
Tags (3)
0 Karma
Reply

putnamblake
Path Finder
‎08-04-2020 03:24 PM

If the values you provided are fields or sources in your Splunk instance, and data for all outbound email domains is rolling into "rcpt_domain" why not exclude the known personal email domains you mentioned.

 

EX: index=Your_email_index from_domain=corp.com rcpt_domain NOT ("*gmail.com" OR "*hotmail.com" OR "*yahoo.com" OR "*aol.com") AND rcpt_domain=*

| rename from_domain as "Received From" , rcpt_domain as "Sent To Personal Domain"
|stats count by "Received From","Sent To Personal Domain"

 

0 Karma
Reply

brc55
Explorer
‎08-05-2020 06:18 AM

Thanks @putnamblake but unfortunately, that's not working. I think there may need to be some regex involved to help identify/match the from (corporate) email addresses to the personal domains.

0 Karma
Reply

putnamblake
Path Finder
‎08-05-2020 07:21 AM

Can you post a sample of the logs please?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...