Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search and compare data within 3 fields to find positive and negative matches

Glioblaster
Explorer
‎07-29-2020 02:10 PM

I have a search yielding data from three different email fields, call them msg.header.to{}, msg.header.cc{} and orig_recipient.  I am looking to see if the email address contained within orig_recipient matches either of the other two.  The issue is that Splunk captures the data differently in the msg.header columns.

For example, the msg.header columns output is "Smith, Joe <joe.smith@email.com>", while the output in the orig_recipient would only be "joe.smith@email.com".   So, when I ask Splunk to tell me if the orig_recipient email address is in the msg.header.to{}, I get a negative.  I have tried Like, If, Where and others, along with using wildcards but maybe my syntax is wrong.    

I am looking to see how I can search within a field using the value of another field as the search parameter.  Also, if that is not possible, extracting the data between the <> and putting it into another field to compare off of that field might work.

Thank you for your time and attention to this matter.

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Glioblaster
Explorer
‎07-30-2020 01:30 PM

Solved:

This is what worked for my search and I also had some mixed case letters so I added the case "lower".

| rex field=msg.header.to{}  max_match=0 "<(?<test>.*)>" 

| rex field=msg.header.cc{}  max_match=0 "<(?<test2>.*)>" 

| eval test=lower(test)

| eval test=lower(test2)

| eval test3=if(orig_recipient=test OR orig_recipient=test2), "TRUE", "FALSE")

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎07-29-2020 03:00 PM

@Glioblaster As well as using match, as suggested by @to4kawa you can always extract the email address using the rex statement, as in this example. Note that it still uses match() to do the compare.

| makeresults
| eval Message="{\"message\":{\"hdr\":{\"to\":\"Smith, Joe <joe.smith@email.com>\",\"cc\":\"Smith, Fred <fred.smith@email.com>\"}},\"orig_recipient\":\"joe.smith@email.com\""
| spath input=Message
| rex field=message.hdr.cc "<(?<email_cc>[^>]*)"
| rex field=message.hdr.to "<(?<email_to>[^>]*)"
| eval to_is_orig=if(match(orig_recipient,email_to),"EQUAL","NOT_EQUAL")

Hope this is useful.

 

0 Karma
Reply
Solved! Jump to solution

Glioblaster
Explorer
‎07-30-2020 04:33 AM

Thank you. I tried this but it did not like my following syntax (received "Error in 'eval' command. The expression is malformed.") as I need to search against the fields, I substituted the field names where you put the email addresses.  I wrote the following:

eval Message="{\"message\":{\"hdr"\{\"to"\:\"'msg.header.to{}'\",\"cc\":\"'msg.header.cc{}'\"}},\"orig_recipient\""

All else was the same from your reply.  In addition, I will be putting an OR command as I need to search against the .to and .cc fields.

0 Karma
Reply
Solved! Jump to solution

Glioblaster
Explorer
‎07-30-2020 12:24 PM

Update, so as I am continuing to work on this I changed the parameters to this:

rex field=msg.header.to{} "<(?<test>.*)>" and it worked with providing me the email address contained within the "<>".  My next issue is to make it work on multiple email addresses within the same field.  Suggestions are welcomed.  After I get the email addresses extracted out into a new field, I can then write comparison expressions against my orig_recipient field.

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

Glioblaster
Explorer
‎07-30-2020 01:30 PM

Solved:

This is what worked for my search and I also had some mixed case letters so I added the case "lower".

| rex field=msg.header.to{}  max_match=0 "<(?<test>.*)>" 

| rex field=msg.header.cc{}  max_match=0 "<(?<test2>.*)>" 

| eval test=lower(test)

| eval test=lower(test2)

| eval test3=if(orig_recipient=test OR orig_recipient=test2), "TRUE", "FALSE")

 

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎07-29-2020 02:48 PM

|eval check=if(match('msg.header.to{}', orig_recipient), 1,0)

 

How about match()?

0 Karma
Reply
Solved! Jump to solution

Glioblaster
Explorer
‎07-30-2020 04:00 AM

Thank you but the result was all negative as it was the same problem I am running into where Splunk does not look within the field to match the results so the email addresses inside the <> are not being parsed against the email addresses in orig_recipient.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...