1st query       index=mail NOT [ | inputlookup suspicoussubject_keywords.csv | rename keyword AS query | fields query ] | lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match | where isnull(domain_match) | lookup all_email_provider_domains domain AS RecipientDomain output domain as domain_match2 | where isnotnull(domain_match2) | stats values(recipient) as recipient values(subject) as subject earliest(_time) AS "Earliest" latest(_time) AS "Latest" by RecipientDomain sender | where mvcount(recipient)=1 | eval subject_count=mvcount(subject) | sort - subject_count | convert ctime("Latest") | convert ctime("Earliest")       2nd query       index=o365 | dedup Id | rename _time as DateTime, PolicyDetails{}.PolicyName as PolicyName, PolicyDetails{}.Rules{}.RuleName as RuleName, ExchangeMetaData.UniqueID as UniqueID, ExchangeMetaData.Subject as Subject, ExchangeMetaData.From as Sender, ExchangeMetaData.To{} as Recipient, ExchangeMetaData.CC{} as CC, ExchangeMetaData.BCC{} as BCC, ExchangeMetaData.RecipientCount as RecipientCount, PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.Count as SensitiveInformationCount, PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.SensitiveInformationDetections.DetectedValues{}.Name as PIIName, PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.SensitiveInformationDetections.DetectedValues{}.Value as PIIValue, PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.Location as Location | dedup UniqueID | rex field=Recipient "@(?<domain>.*$)" | rex field=CC "@(?<domain>.*$)" | rex field=BCC "@(?<domain>.*$)" | eval domain=lower(domain) | lookup email_domain_whitelist domain output domain as domain_match | where isnull(domain_match) | stats values(Recipient) values(CC) values(BCC) values(domain) Count sum(SensitiveInformationCount) by PolicyName Subject Sender | sort +values(domain)       hi i would like to combine the first query into the second query , but the second query only shows those matching the policy , other than that it does not show. i want to show those matching the policy and if does  not match also , please show it, but policy field will be empty.  please advise. index will be o365. ... View more

hi,   i need to create a query or where can i find this information.   i want the list of users who has run queries , for auditing purpose ,with the keyword PII on those queries which was run.   Please help.     ... View more

index=mail | lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match | where isnull(domain_match) | table subject sender values(recipient) values(RecipientDomain) Count values(size)``` | stats values(recipient) values(subject) count by RecipientDomain sender | sort -count   i have this search running daily. based on the results from the search,  i want to compare the sender field result with another csv file call 123.csv in lookup , there is a field call Email Address in this csv, give me the results if there is a match.   Please help. Thank you. ... View more

I want to get a list of firewalls and servers sending logs to splunk. What query should i use ? ... View more

    index=mail | lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match | where isnull(domain_match) | lookup all_email_provider_domains domain AS RecipientDomain output domain as domain_match2 | where isnotnull(domain_match2) | stats values(recipient) as recipient values(subject) as subject earliest(_time) AS "Earliest" latest(_time) AS "Latest" by RecipientDomain sender | where mvcount(recipient)=1 | eval subject_count=mvcount(subject) | sort - subject_count | convert ctime("Latest") | convert ctime("Earliest")     i have list of suspicious keywords to in a list in lookup editor called suspicoussubject_keywords.   can you include the query to lookup for this keyword in subject and then display results?   in another use case , i have a list not to show the following subject  filtersubjects  in lookup. This will not display the results where there are the following words like CV, Resume in the subjects can you help me with the query ? ... View more

      index=mail | lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match | where isnull(domain_match) | lookup all_email_provider_domains domain AS RecipientDomain output domain as domain_match2 | where isnotnull(domain_match2) | stats values(recipient) as recipient values(subject) as subject earliest(_time) AS "Earliest" latest(_time) AS "Latest" by RecipientDomain sender | where mvcount(recipient)=1 | eval subject_count=mvcount(subject) | sort - subject_count | convert ctime("Latest") | convert ctime("Earliest")     i would like to include in the results if there are any attachments in the email, show me the attachment name and size of the attachment in MB/GB.   Is this possible ?   Adding on , also i have list of suspicious keywords to in a list in lookup editor called suspicoussubject_keywords.   can you include the query to lookup for this keyword in subject and then display results?   ... View more