@renjith.nair, thank you for putting the time into creating dummy data generation to help me find a solution. Your example you provided with the results it yielded is exactly what I am looking for.
I have further fixed more of the issue by extracting a new field, called "To_or_From_MSD_Number" which uses specific regex to capture the MSD number ONLY if it is a To or From email event. This has given me near exactly the results I needed when using your new search query.
However, what I have found is that this email application will re-use the MSD number further in the same day, making results have multiple values in the From and To columns. Due to this unfortunate detail, I wonder if this is beyond the scope of Splunk's ability. The search query would have to somehow get the msd matched To and From events that are within the same hour. Or maybe I could throw the source ip that is in the To event into the query somewhere to isolate the results.
Here is an example, where I specified 1 MSD number because it has been used twice already today:
search query:
host = hostIp To_or_From_MSD_Number="10092" | stats values(Email_From_Address) as From,values(Email_To_Address) as To, count by To_or_From_MSD_Number|where count>1| fields - count
Results:
To_or_From_MSD_Number: From: To:
10092 from@first.com to@first.com
from@second.com to@second.com
And here would be the actual To and From events from the results:
Oct 8 06:27:19 mail msd[10092] MAIL command received, args: FROM: from@first.com
Oct 8 06:27:19 mail msd[10092] RCPT command received (1.1.1.1), args: TO: to@first.com
Oct 8 08:20:10 mail msd[10092] MAIL command received, args: FROM: from@second.com
Oct 8 08:20:11 mail msd[10092] RCPT command received (2.2.2.2), args: TO: to@second.com
After looking at the events here I noticed that the source ip in the To events differs, is it possible to separate the joined results from our search query by using that source ip? (meaning the 1.1.1.1 and the 2.2.2.2 ips in the To events)
The results I would hope could be achievable would look something like this:
Source IP: MSD Number: From: To:
1.1.1.1 10092 from@first.com to@first.com
2.2.2.2 10092 from@second.com to@second.com
I apologize for this difficult request. I will accept that what I ask for is over-complicated and not achievable if necessary.
... View more