Hi @Jamilahmajed, I’m a Community Moderator in the Splunk Community. This question was posted 1 year ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you!  ... View more

Hi @sulaimancds, please check if in the interesting fields there is another alias of the ClientIP (having the same value) and try to use it. Ciao. Giuseppe ... View more

I am not sure which lookup is failing as you haven't shown the fields from all the lookups. For the second part, you could try this (although there doesn't appear to be a date field in the results at the moment so it shouldn't be a problem). | lookup email_users.csv address AS SenderAddress OUTPUT date as EventDate ... View more

There was an error in what you just replied ... View more

@sulaimancds  - Try this as a full search and run it in "Verbose mode". | datamodel Change All_Changes search strict_fields=false | search "All_Changes.result_id"=4732  This will show the events as you asked.   But if you need events as well as the results then do a regular search in "Verbose mode". index=* tag=change | stats max(_time) as lastTime, count BY action, result_id, user, dest | search result_id = 4732 | convert ctime(lastTime) as lastTime   Kindly accept the answer and upvote if this helps you!!! ... View more

Quote the string you are trying to match in the where clause | where SenderDomain = "gmail.com" ... View more

This just goes to show how important it is to illustrate your data (with proper sanitization) before asking a question.  The raw log you showed contains very few fields used in your illustrated codes.  If this is the real data format and the search codes are the real ones you tried, how can you expect the code to do anything? Strictly using the data you illustrated, assuming it is the exact format that Splunk ingests, Splunk would have already extracted (flattened) all JSON nodes to respective fields, namely FromIP, MessageId, Organization, Received, RecipientAddress, SenderAddress, Size, Status, Subject, and ToIP.  The data contains no array.  So, all fields are single value.  The JSON also has no nested nodes.  So, all fields are flat.  To achieve your illustrated output, all you  need to do is to extract SenderDomain from SenderAddress, then stats on _time to get earliest and latest, i.e., | rex field=RecipientAddress "[^@]@(?<RecipientDomain>.+)" | stats min(_time) as Earliest max(_time) as Latest by RecipientDomain SenderAddress RecipientAddress Subject | convert ctime(Earliest), ctime(Latest) So, I didn't bother to rename RecipientAddress as recipient, SenderAddress as sender.  But you already know how to do that if that is desirable. This, of course, is a far cry from the original problem statement.  I suspect that there are some additions to the search.  But at least the search should match real data. ... View more

Hi @sulaimancds, I understood your requirement, but my question is: check if in recipient you effectively have one recipient and not two or more in the same field. If it's true, you solved your issue. Ciao. Giuseppe ... View more

Hi @sulaimancds .. the _audit index will have all splunk user's search commands (search history).   please check this: https://community.splunk.com/t5/Splunk-Search/Get-user-s-search-history/m-p/57744 ... View more

Add this to the bottom of your search: | lookup 123.csv "Email Address" as sender | where isnotnull('Email Address')  To filter the results for only the Email Addresses in 123.csv ... View more

Hi @sulaimancds, these errors are in the part of the search that you shared, not in the part I updated. Anyway, check the email_subjects lookup because there's an error. Ciao. Giuseppe ... View more

i tried to use lookup editor wordlist , to search but reuslts is 0 , can you helo me . ... View more

hi> ... View more