Splunk Search

Using multiple values in a field to compare to the values in another field

dm22
New Member

Hi,

I am looking to using all the values from one field and see if they partially appear in another from a set of mail logs.
I have used eval to produce a list of search terms I need.
I have a list of email addresses which i need to take just the first part before the @ and add a - to it which i have done using:

eval results=ToPerson." -"

This gives me the below examples and are stored in the results field.

  1. joe.bloggs -
  2. joe.smith -
  3. joe.brown -

I then want to take all these values and compare them against all the message subjects and if the name "joe.bloggs -" appears in part of the message subject then display the information. I've tried using subsearches but i seem to be having difficulty using all the values in the results field and comparing them against the all the message subjects that appear. I was wondering how to go about this in splunk

Thanks

Tags (1)
0 Karma

somesoni2
Revered Legend

I guess we need to see both your queries, with some sample values to answer you better. Meanwhile try something like this

your base search with message subject field [search your search which gives ToPerson field | eval query="*".ToPerson."-*" | stats count by query | table query ]
0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...