Splunk Search

Is it possible if a non matching domain is emailing us, it should display in a dashboard?

tonyxavierj
Engager

Hi

I am trying to explore more ways to check if business email compromise is being happening in our organization, just before the end user recognises it.

i have a list of domains that we usually communicate with,  there are around 490 domains I have listed and added to a csv file.  there is an index which is updated in realtime which have logs from mimecast. I would like to list out domains which are trying to establish email communication with our organization which are not there in the csv file.

so if a non matching domain is emailing us, it should display in a dashboard. is this possible?

Labels (1)
0 Karma

tonyxavierj
Engager

50000

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Subsearches are limited to 50000 events - can you break the csv down into smaller files?

index= mimecast NOT [ | inputlookup Sender1.csv | return Sender ] AND NOT [ | inputlookup Sender2.csv | return Sender ] AND NOT [ | inputlookup Sender3.csv | return Sender ]
0 Karma

tonyxavierj
Engager

this is my search string
index=mimecast NOT [ | inputlookup Sender1.csv | return Sender ] 

the number of rows in csv is now reduced to 34000

The search result is same if do search for
index=mimecast
or 
index=mimecast NOT [ | inputlookup Sender1.csv | return Sender ] 

it is still not filtering or removing the email addresses listed in the csv.

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try without the return

index=mimecast NOT [ | inputlookup Sender1.csv ]
0 Karma

tonyxavierj
Engager

no change,  it is still showing all the results.

no filtering applied.

0 Karma

tonyxavierj
Engager

gives error
Regex: regular expression is too large

if format is removed it gives results, but the results are same as without inputlookup
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

How many rows does the csv file have?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

A search for data in an index that is not in a CSV file would look something like this:

index=mimecast NOT [ | inputlookup domains.csv | return 1000 domain ]

I'm assuming the index and the CSV file use the same field names.  If that is not the case then a rename will be needed after the inputlookup.

---
If this reply helps you, Karma would be appreciated.
0 Karma

tonyxavierj
Engager

Hi 

i tried with the following search 

index= mimecast NOT [ | inputlookup Sender1.csv | return 1000 Sender ] 
Sender1 have a list of email address and the  field name is Sender

the results are same if i search with or without the filter. its is not omitting or removing the email address which are there in the csv file.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Does this work better?

index= mimecast NOT [ | inputlookup Sender1.csv | return 1000 Sender | format ] 
0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...