Splunk newbie in search of advise. Here's the situation:
I have two sources that provide e-mail info: tag::host="es1" and source="/data/elog.txt".
One source reports SMTP_RCPT_TO and the other reports MAIL_TO. (the values stored in each are all over the place, e.g. "foo user ", FOO@user.org, foo@smtp.user.org...)
I want to find all lines that match a set of users, e.g. "foo, bar, and baz" (including any permutation of the receiving domain like /.*user.org/i and any capitalization of username)
The simple search: tag::host="es1" OR source="/data/elog.txt" (foo OR bar OR baz)
does the trick (although you get hits on other fields as well)
Now expand that list of users to 40 or 50 and I'm starting to look for a better way. inputlookups seem promising, but fail due to the myriad of ways the email agents stuff address data into splunk. It seems that lookups are exact match. I could create various permutations in the lookup csv but that would be brittle and tedious.
So masters of splunk-fu, are there other approaches you would recommend? Something obvious that I've overlooked?
... View more