Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

search requires stitching together two distinct events from a single sourcetype

danesh_shah
New Member
‎11-07-2018 07:39 PM

i require some assistance in my search query where i need to search a mail log to extract the highest recipients by message size based upon a unique common id.

as i am able to search events by the size field to see the values of message size from the senders addresses but i am unable to search this by the recipients address including to show the unique ID.

so i need to combine these two events first showing the message size and then the recipient addresses based upon a common queue ID. i know the stats function is more beneficial than the transaction command as it is costly. Also i believe i am able to chart it through xyseries but i'm unsure how to put this together as i have tried a various types of stats commands trying to put this together but i have a strong feeling i'm not executing it correctly

0 Karma
Reply

renjith_nair
Legend
‎11-07-2018 09:45 PM

@danesh_shah ,

Did you try stats values(recipient ) as recipient ,values(senders) as senders,max(message_size) by unqiue_id

If its not working, would it be possible to share some sample events after masking any sensitive data?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

danesh_shah
New Member
‎11-08-2018 07:02 AM

Hi - Thanks, how can i produce this as a chart to show each value i.e. message size, unique ID and the recipient address?

0 Karma
Reply

danesh_shah
New Member
‎11-08-2018 07:17 AM

i can visualise this as a chart but it only displays the chart over unique id by message size i need to show the recipients also

0 Karma
Reply

danesh_shah
New Member
‎11-08-2018 07:42 AM

index=maildata sourcetype="email_log"
| stats values(from) as senders ,values(to) as recipients,max(size) as "Message SIze" by qid
| rename qid as "Unique ID"
| sort 10 -"Message Size"

0 Karma
Reply

renjith_nair
Legend
‎11-10-2018 08:28 PM

@danesh_shah , it will be helpful if you have a sample events for both sender and recipient event. Please mask any sensitive information if needed

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...