Your eventstats recommendation worked. Thank you. ... View more

Im not wanting to use stats because im needing to just count the number of recipients by sender mid search and from what ive tried I havent had much success from it. Im completly open if there is a way to do it. ... View more

Thank you. This works great for what im trying to do. ... View more

Here is my query. I commented in the place that I'm trying to run that mvfind command. I have two emails, i cut anything after @ giving me usernames of sorts then i split them and now am trying to search by sender to see if the sender is trying to send something to an email that closely resembles his own. index=msexchange size>2000000 directionality="Originating" AND action="delivered" AND recipient!="*iccu.com" AND NOT (message_subject="RE*" OR message_subject="FW*" OR message_subject="*EXTERNAL*") AND (recipient="*gmail.com" OR recipient="*.edu" OR recipient="*hotmail.com" OR recipient "*yahoo.com" OR recipient="*msn.com" OR recipient="*outlook.com" OR recipient="*aol.com" OR recipient="*zoho.com" OR recipient="*icloud.com" OR recipient="*inbox.com" OR recipient="*mail.com" OR recipient="*yandex.com" OR recipient="*protonmail.com") |rex field=recipient "^(?<re_name>.*)@(?<trash1>.*)$" `comment("START OF FIRST 3 COMPARASON")` |rex field=sender "^(?<se_name>.*)@(?<trash1>.*)$" |rex field=se_name "^(?P<se_first3>...)" |rex field=re_name "^(?P<re_first3>...)" |eval first_value=if(like(se_first3, re_first3), 1, 0) `comment("START OF LAST 3 COMPARASON")` |rex field=re_name "(?<re_last3>\w{3})$" |rex field=se_name "(?<se_last3>\w{3})$" |eval last_value=if(like(se_last3, re_last3), 1, 0) |eval subject_value=if(isnull(message_subject), 1, 0) `comment("THIS IS WHERE IM PULLING OUT CHARACTERS THAT I DONT WANT")` |replace "*.*" WITH "" in re_name |replace "*_*" WITH "" in re_name |eval se_cut=replace(se_name,"^.","") |eval re_cut=replace(re_name,"^.","") |eval se_mvmake=se_name |eval re_mvmake=re_name | rex field=re_mvmake "(?<re_my1>.*?)\d\d\d+(?<re_my2>.*)" | eval re_mvmake=if(isnull(re_my1), re_mvmake, re_my1+re_my2) | rex field=se_mvmake "(?<se_my1>.*?)\d\d\d+(?<se_my2>.*)" | eval se_mvmake=if(isnull(se_my1), se_mvmake, se_my1+se_my2) `comment("IGNORE THIS")` |makemv re_mvmake delim=‘“\”’ |makemv se_mvmake delim=‘“\”’ |mvexpand re_mvmake |mvexpand se_mvmake |rex field=re_name max_match=10 "\"(?<re_mv>.*?)\"" |rex field=se_name max_match=10 "\"(?<se_mv>.*?)\"" `comment("THIS IS WHAT I AM WORKING ON NOW BASED ON YOUR COMMENT")` |eval re_split=split(re_name,"") |eval se_split=split(se_name,"") |mvexpand se_split |mvexpand re_split |eval split_total=mvfind(se_split, re_split) |eval threat_num=4 |eval is_threat=if(like(se_name, re_name), 2, 0) |eval appraise=if(like(message_subject, "%ppraisal%"), 2, 0) `comment("START OF MESSAGE SUBJECT COMPARASON")` |eval payment=if(like(message_subject, "%ayment%"), 2, 0) |eval loan=if(like(message_subject, "%oan%"), 2, 0) |eval estimate=if(like(message_subject, "%stimate%"), 2, 0) |eval size_count=if(size>5000000, 1, 0) |eval diff=(threat_num - appraise - payment - loan - estimate + size_count + first_value + last_value + is_threat + subject_value) |eval Threat_Level=case(diff=1 OR diff=2, "Low", diff=3 OR diff=4, "Medium", diff=5, "High", diff=6 OR diff=7 OR diff=8, "Urgent") | eval Time=strftime(_time,"%Y-%m-%d %H:%M:%S") `comment("|where Threat_Level="High" OR Threat_Level="Urgent"")` |stats values(split_total) values(se_split) values(re_split) values(Threat_Level) as "Threat Level" values(size) as "Message Size" values(recipient) as Recipient values(Time) as Time by sender subject | sort -"Message Size" "Threat Level" ... View more

I just want to match if re_split is in se_split. if it returns the letters that are in that field that is fine because I can just have it count how many letters there are in comparison to se_split and come up with a final number that way. in the end i just want a number that tells me how many matching characters there are and then im going to subtract the number of matching characters from the number of characters in se_split and return a percentage value as my final number. so yes i just want to check existence. ... View more

All character are in a single field. I've taken usernames and strung them out and am now trying to compare the two so that i can see if they match a certain amount. ... View more