Hi,
I am looking to using all the values from one field and see if they partially appear in another from a set of mail logs.
I have used eval to produce a list of search terms I need.
I have a list of email addresses which i need to take just the first part before the @ and add a - to it which i have done using:
eval results=ToPerson." -"
This gives me the below examples and are stored in the results field.
I then want to take all these values and compare them against all the message subjects and if the name "joe.bloggs -" appears in part of the message subject then display the information. I've tried using subsearches but i seem to be having difficulty using all the values in the results field and comparing them against the all the message subjects that appear. I was wondering how to go about this in splunk
Thanks
I guess we need to see both your queries, with some sample values to answer you better. Meanwhile try something like this
your base search with message subject field [search your search which gives ToPerson field | eval query="*".ToPerson."-*" | stats count by query | table query ]