Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Join (Inner or left) or Eval to join events from same source via common field

kelie
Path Finder
‎03-26-2020 11:12 AM

logs from an email server throws multiple events (each a different detail) for one email and each event has a numerical value field (MID). Each email has a unique MID

I need to extract the recipient from the events and subject containing "Password Expiring Soon" where the MID matches in each event

im trying this to get the data but its terribly slow and missing and not tabling correctly

index=email MID=* | join type=left MID [search index=email subject="Password Expiring Soon"]|join type=left MID [search index=email recipient=*]

Please assist

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

3no
Communicator
‎03-27-2020 09:35 AM

In large dataset or high time range, I think this method is the fastest.

First, I would recommand to find every MID where the Subject is "Password Expiring Soon" (in case of spam campaign you can have multiple). Then you'll want to find the sender and recipient for each of these MID.

From your description it should look something like this : 

index=email 
[ search index = email subject="Password Expiring Soon" | table MID | format "(" "(" "" ")" "OR" ")" ] 
| stats values(subject) AS Subject, values(sender) AS sender, values(recipient) AS recipient BY MID

3no

View solution in original post

Reply
Solved! Jump to solution
Solution

3no
Communicator
‎03-27-2020 09:35 AM

In large dataset or high time range, I think this method is the fastest.

First, I would recommand to find every MID where the Subject is "Password Expiring Soon" (in case of spam campaign you can have multiple). Then you'll want to find the sender and recipient for each of these MID.

From your description it should look something like this : 

index=email 
[ search index = email subject="Password Expiring Soon" | table MID | format "(" "(" "" ")" "OR" ")" ] 
| stats values(subject) AS Subject, values(sender) AS sender, values(recipient) AS recipient BY MID

3no

Reply
Solved! Jump to solution

kelie
Path Finder
‎03-27-2020 08:58 AM

heres some sample searches. stats sounds like the right path to take. The only consistent and common field is MID

index=email SUBJECT="ECHO Password Expiring Soon"

index=email MID=16211404

0 Karma
Reply
Solved! Jump to solution

rmmiller
Contributor
‎03-26-2020 05:11 PM

If I understand your data and intent correctly, this should do the trick:

index=email MID=
| stats values(subject) AS Subject, values(recipient) AS recipient BY MID
| where NOT isnull(mvfind(Subject,"Password Expiring Soon"))

Joins are painfully inefficient and can usually be avoided using stats and filtering after aggregation. This is definitely one of those instances.

Hope that helps!
rmmiller

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...