Hi, My mail server logs display recipient info like that:
Feb 14 16:04:25 224.67.24.175 Feb 14 16:04:25 mail_logs: Info: MID 1563086 ICID 1105367 RID 0 To: <user.1@abc.com>
How can I list the top 10 recipients by search command?
Thanks.
You need to remove the : from To in your search.
Also... If you haven't trained Splunk to recognize your To field, you'll want to run the IFX wizard to extract the field. Here's a link on how to do this:
http://www.splunk.com/base/Documentation/4.1.7/User/InteractiveFieldExtractionExample
I create it as the savedsearches.conf like that:
[Top recipients - pie chart]
action.email.sendresults = 0
dispatch.ttl = 3600
displayview = report_builder_display
relation = None
request.ui_dispatch_view = report_builder_display
search = index=all_test host=224.67.24.175 | top To: limit=10
vsid = *:fwkfzepj
But, when I run this saved search, it has not thing display.
Why?
Assuming you have your fields extracted properly:
... | top limit=10 To