×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
dhabbal
Explorer
Member since: ‎06-07-2018
‎01-08-2022
Community Statistics
Posts 4
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎06-07-2018
Activity Feed
View All

Re: Searching a 2nd index with a field extraction ...

by in Splunk Search
‎01-08-2022 01:15 PM
‎01-08-2022 01:15 PM
Thanks for this, I tried this join syntax earlier but the search was very slow and wasn't able to be completed. Firewall logs are huge but I thought the subsearch runs first that feeds the join cmd, in my mind it should run fairly quickly but it's taking very long.  Any ideas how to make the search more performative? ... View more

Re: Extract domain part of list of emails addresse...

by SplunkTrust in Splunk Search
‎06-07-2018 11:42 PM
‎06-07-2018 11:42 PM
Hi dhabbal, if your emails are in a field called "email", you could run a search like this: index=my_index | rex field=email "\@(?<domain>[^ ]*)" | stats dc(email) AS num_email BY domain in this way you have the count of different emails in your logs. If in addition you want also the name of your emails, you could run: index=my_index | rex field=email "\@(?<domain>[^ ]*)" | stats values(email) AS email dc(email) AS num_email BY domain If at least, you want the number of emails ordered by domain, you could run: index=my_index | stats count BY email | rex field=email "\@(?<domain>[^ ]*)" | sort domain | table domain email count Bye. Giuseppe ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎01-08-2022 09:21 PM
Karma given to
View All