Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Join (Inner or left) or Eval to join events from same source via common field

kelie
Path Finder
‎03-26-2020 11:12 AM

logs from an email server throws multiple events (each a different detail) for one email and each event has a numerical value field (MID). Each email has a unique MID

I need to extract the recipient from the events and subject containing "Password Expiring Soon" where the MID matches in each event

im trying this to get the data but its terribly slow and missing and not tabling correctly

index=email MID=* | join type=left MID [search index=email subject="Password Expiring Soon"]|join type=left MID [search index=email recipient=*]

Please assist

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

3no
Communicator
‎03-27-2020 09:35 AM

In large dataset or high time range, I think this method is the fastest.

First, I would recommand to find every MID where the Subject is "Password Expiring Soon" (in case of spam campaign you can have multiple). Then you'll want to find the sender and recipient for each of these MID.

From your description it should look something like this : 

index=email 
[ search index = email subject="Password Expiring Soon" | table MID | format "(" "(" "" ")" "OR" ")" ] 
| stats values(subject) AS Subject, values(sender) AS sender, values(recipient) AS recipient BY MID

3no

View solution in original post

Reply
Solved! Jump to solution
Solution

3no
Communicator
‎03-27-2020 09:35 AM

In large dataset or high time range, I think this method is the fastest.

First, I would recommand to find every MID where the Subject is "Password Expiring Soon" (in case of spam campaign you can have multiple). Then you'll want to find the sender and recipient for each of these MID.

From your description it should look something like this : 

index=email 
[ search index = email subject="Password Expiring Soon" | table MID | format "(" "(" "" ")" "OR" ")" ] 
| stats values(subject) AS Subject, values(sender) AS sender, values(recipient) AS recipient BY MID

3no

Reply
Solved! Jump to solution

kelie
Path Finder
‎03-27-2020 08:58 AM

heres some sample searches. stats sounds like the right path to take. The only consistent and common field is MID

index=email SUBJECT="ECHO Password Expiring Soon"

index=email MID=16211404

0 Karma
Reply
Solved! Jump to solution

rmmiller
Contributor
‎03-26-2020 05:11 PM

If I understand your data and intent correctly, this should do the trick:

index=email MID=
| stats values(subject) AS Subject, values(recipient) AS recipient BY MID
| where NOT isnull(mvfind(Subject,"Password Expiring Soon"))

Joins are painfully inefficient and can usually be avoided using stats and filtering after aggregation. This is definitely one of those instances.

Hope that helps!
rmmiller

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...