×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Glioblaster
Explorer
Member since: ‎07-29-2020
‎07-30-2020
Community Statistics
Posts 5
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎07-29-2020
View All

Re: Search and compare data within 3 fields to fin...

by in Splunk Search
‎07-30-2020 01:30 PM
‎07-30-2020 01:30 PM
Solved: This is what worked for my search and I also had some mixed case letters so I added the case "lower". | rex field=msg.header.to{}  max_match=0 "<(?<test>.*)>"  | rex field=msg.header.cc{}  max_match=0 "<(?<test2>.*)>"  | eval test=lower(test) | eval test=lower(test2) | eval test3=if(orig_recipient=test OR orig_recipient=test2), "TRUE", "FALSE")   ... View more

Re: Search and compare data within 3 fields to fin...

by in Splunk Search
‎07-30-2020 12:24 PM
‎07-30-2020 12:24 PM
Update, so as I am continuing to work on this I changed the parameters to this: rex field=msg.header.to{} "<(?<test>.*)>" and it worked with providing me the email address contained within the "<>".  My next issue is to make it work on multiple email addresses within the same field.  Suggestions are welcomed.  After I get the email addresses extracted out into a new field, I can then write comparison expressions against my orig_recipient field. ... View more

Re: Search and compare data within 3 fields to fin...

by in Splunk Search
‎07-30-2020 04:33 AM
‎07-30-2020 04:33 AM
Thank you. I tried this but it did not like my following syntax (received "Error in 'eval' command. The expression is malformed.") as I need to search against the fields, I substituted the field names where you put the email addresses.  I wrote the following: eval Message="{\"message\":{\"hdr"\{\"to"\:\"'msg.header.to{}'\",\"cc\":\"'msg.header.cc{}'\"}},\"orig_recipient\"" All else was the same from your reply.  In addition, I will be putting an OR command as I need to search against the .to and .cc fields. ... View more

Re: Search and compare data within 3 fields to fin...

by in Splunk Search
‎07-30-2020 04:00 AM
‎07-30-2020 04:00 AM
Thank you but the result was all negative as it was the same problem I am running into where Splunk does not look within the field to match the results so the email addresses inside the <> are not being parsed against the email addresses in orig_recipient. ... View more

Search and compare data within 3 fields to find po...

by in Splunk Search
‎07-29-2020 02:10 PM
‎07-29-2020 02:10 PM
I have a search yielding data from three different email fields, call them msg.header.to{}, msg.header.cc{} and orig_recipient.  I am looking to see if the email address contained within orig_recipient matches either of the other two.  The issue is that Splunk captures the data differently in the msg.header columns. For example, the msg.header columns output is "Smith, Joe <joe.smith@email.com>", while the output in the orig_recipient would only be "joe.smith@email.com".   So, when I ask Splunk to tell me if the orig_recipient email address is in the msg.header.to{}, I get a negative.  I have tried Like, If, Where and others, along with using wildcards but maybe my syntax is wrong.     I am looking to see how I can search within a field using the value of another field as the search parameter.  Also, if that is not possible, extracting the data between the <> and putting it into another field to compare off of that field might work. Thank you for your time and attention to this matter.       ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-30-2020 04:03 PM