Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- String split to the same field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am doing some email count analysis and run into the following problem.
For inbound email the recipients field contains a string of email addresses(it could be few or hundreds of addresses) each separated by ";".
Using eval recipient=split(recipients,";") I am able to split them but they are all split into a single field recipient which contains multiple values.
I want to do ...|search recipient="abc@abc.com" | timechart span=1d by recipient however the search returns timechart for ALL users in the receipent field.
I was thinking about using regex but I do not know how many fields to extract based on various number of recipients for each email message.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use mvexpand command to convert each recipient into single row. Use it after your eval -split command. So it'll be like this
your base search | eval recipient=split(recipients,";") | mvexpand recipient |search recipient="abc@abc.com" | timechart span=1d count by recipient
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What to do is going to depend on what you want with all those timecharts.
If you don't want to look at timechart for all the recipients, then put into words what you DO want to look at.
I suspect that you could use mvexpand to create a single record for each person for each email, then use stats (not timechart) against a binned _time field to roll them all together, then from that, select which persons you want to analyse. For example, something like the following would give you timecharts for the top 5 recipients who received the most emails. (air code)
your base search
| eval recipient=split(recipients,";")
| mvexpand recipient
| bin _time span=1d
| stats count as rdcount by recipient _time
| appendpipe [| stats sum(rdcount) as ecount by recipient | top 5 ecount ]
| eventstats max(ecount) as ecount by recipient
| where isnotnull(ecount)
| timechart span=1d sum(rdcount) as count by recipient
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use mvexpand command to convert each recipient into single row. Use it after your eval -split command. So it'll be like this
your base search | eval recipient=split(recipients,";") | mvexpand recipient |search recipient="abc@abc.com" | timechart span=1d count by recipient
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mvexpand recipient
worked exactly how I was expecting the results to be. Thanks all for your help!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
