Give this a spin:
index=_internal source="/opt/splunk/var/log/splunk/python.log"
| rex max_match=0 field=recipients "u'(?<recipient_list>[^']+)"
| stats values(recipient_list) as Recipients count by subject
| sort - count
| addtotals col=t row=f
I'm on Splunk 6.x, so my recipients field looks like this:
recipients="[u'userx@uci.edu', u'usery@uci.edu', u'userz@uci.edu']",
If you are on 6.x then my search should work perfectly for you. But if you are on an older version of Splunk, you may have a different log format. For the example you showed us above, there is no u in front of the single-quoted recipient's email address. If that is still the case, just remove the u so the rex line looks like this:
| rex max_match=0 field=recipients "'(?<recipient_list>[^']+)"
Be sure to vote this up if it works for you! 🙂
Oh, and the max_match=0 makes the number of matches unlimited, so it recurses, creating a multivalued field called recipient_list. max_match has the default setting of 1 unless you change it.
... View more