Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search requires stitching together two distinct events from a single sourcetype

danesh_shah
New Member
‎11-07-2018 07:39 PM

i require some assistance in my search query where i need to search a mail log to extract the highest recipients by message size based upon a unique common id.

as i am able to search events by the size field to see the values of message size from the senders addresses but i am unable to search this by the recipients address including to show the unique ID.

so i need to combine these two events first showing the message size and then the recipient addresses based upon a common queue ID. i know the stats function is more beneficial than the transaction command as it is costly. Also i believe i am able to chart it through xyseries but i'm unsure how to put this together as i have tried a various types of stats commands trying to put this together but i have a strong feeling i'm not executing it correctly

0 Karma
Reply

renjith_nair
Legend
‎11-07-2018 09:45 PM

@danesh_shah ,

Did you try stats values(recipient ) as recipient ,values(senders) as senders,max(message_size) by unqiue_id

If its not working, would it be possible to share some sample events after masking any sensitive data?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

danesh_shah
New Member
‎11-08-2018 07:02 AM

Hi - Thanks, how can i produce this as a chart to show each value i.e. message size, unique ID and the recipient address?

0 Karma
Reply

danesh_shah
New Member
‎11-08-2018 07:17 AM

i can visualise this as a chart but it only displays the chart over unique id by message size i need to show the recipients also

0 Karma
Reply

danesh_shah
New Member
‎11-08-2018 07:42 AM

index=maildata sourcetype="email_log"
| stats values(from) as senders ,values(to) as recipients,max(size) as "Message SIze" by qid
| rename qid as "Unique ID"
| sort 10 -"Message Size"

0 Karma
Reply

renjith_nair
Legend
‎11-10-2018 08:28 PM

@danesh_shah , it will be helpful if you have a sample events for both sender and recipient event. Please mask any sensitive information if needed

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting

Splunk is excited to announce new releases that empower ITOps and engineering teams to stay ahead in ever ...
Top