Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use a lookup file to find FromIP addresses of log entries

Deb
Explorer
‎08-09-2021 12:04 PM

Hi there, I have a csv lookup file consisting of sender email addresses.  I'd like to search the splunk logs for all the entries with these SenderAddresses over the last 90 days to determine what FromIP they have.  What search syntax do I use?

file has been uploaded to Splunk and is called AllSenders.csv.  it has heading email, flag...all the flag are set to 1 since I want to search them all.  

In general, to search the logs for email i use:  

index=app_messagetrace sourcetype=ms:o365:reporting:messagetrace

Thanks in advance....let me know what other info you need to help  🙂

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-09-2021 05:12 PM

If the field name in the lookup doesn't match that in the index then the fix is easy - just add a rename command to the subsearch (there's also a way to do it with the return command).

index=app_messagetrace sourcetype=ms:o365:reporting:messagetrace [ | inputlookup AllSenders.csv | rename email as SenderAddress | return 1000 SenderAddress ] earliest = -90d

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

Deb
Explorer
‎08-09-2021 01:47 PM

sorry, i'm not understanding.  when I search using index=app_messagetrace sourcetype=ms:o365:reporting:messagetrace [ | inputlookup AllSenders.csv | return 1000 email ] earliest = -90d.....I get 0 results.  I think it's because it doesn't realize what "email" is in the actual log....so I want to connect it to SenderAddress.....I see you have written "The subsearch runs first, reads in the lookup file then formats the first 1000 results (you can change that number) into (email=foo OR email=bar OR ..." but I'm not sure how to change the query for my purposes....sorry I'm new at this....been reading and watching tutorials but finding it a bit confusing.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-09-2021 05:12 PM

If the field name in the lookup doesn't match that in the index then the fix is easy - just add a rename command to the subsearch (there's also a way to do it with the return command).

index=app_messagetrace sourcetype=ms:o365:reporting:messagetrace [ | inputlookup AllSenders.csv | rename email as SenderAddress | return 1000 SenderAddress ] earliest = -90d

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Deb
Explorer
‎08-10-2021 06:23 AM

Thanks Rich, appreciate your help!!

0 Karma
Reply
Solved! Jump to solution

Deb
Explorer
‎08-09-2021 01:31 PM

thanks for the quick reply Rich.  I realize now the heading in the csv is "email" but in the log data, i want it to search by SenderAddress...how do I indicate this in the query?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-09-2021 01:27 PM

Incorporate the lookup into your search by using a subsearch.

index=app_messagetrace sourcetype=ms:o365:reporting:messagetrace [ | inputlookup AllSenders.csv | return 1000 email ] earliest = -90d

The subsearch runs first, reads in the lookup file then formats the first 1000 results (you can change that number) into (email=foo OR email=bar OR ...).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Deb
Explorer
‎08-09-2021 02:33 PM

I think I found it at this posting

https://community.splunk.com/t5/Splunk-Search/inputlookup-compare-the-field-values-in-my-logs-with-l...

 

index=app_messagetrace sourcetype=ms:o365:reporting:messagetrace [ | inputlookup AllSenders.csv | table email | rename email as SenderAddress ] earliest = -90d

this seems to give me the events i'm looking for....now I just need to organize the events by IP Address

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...