There are log entries as seen below. When they are SEPARATE events, the following command works to count the # of occurrences of each type: index.... | stats count by type
type count
png 2
gif 3
pdf 1
But I need to use the transaction command in order to gather other information (like direction: inbound or outbound). Once I do so, via: index..... | transaction host,s,m maxspan=301s | stats count by type
such that it is now ONE EVENT, I get the results below, as if it is counting them distinctly. I want to get the results as above, the actual count of the occurrences of each.
Thanks.
type count
png 1
gif 1
pdf 1
Jun 7 00:50:15 lrdna0n2xepmx10 s=1mb0nj7xyk m=1 mod=mail cmd=attachment file=image006.png type=png
Jun 7 00:50:15 lrdna0n2xepmx10 s=1mb0nj7xyk m=1 mod=mail cmd=attachment file=image007.png type=png
Jun 7 00:50:15 lrdna0n2xepmx10 s=1mb0nj7xyk m=1 mod=mail cmd=attachment file=image009.gif type=gif
Jun 7 00:50:15 lrdna0n2xepmx10 s=1mb0nj7xyk m=1 mod=mail cmd=attachment file=image010.gif type=gif
Jun 7 00:50:15 lrdna0n2xepmx10 s=1mb0nj7xyk m=1 mod=mail cmd=attachment file=image011.gif type=gif
Jun 7 00:50:15 lrdna0n2xepmx10 s=1mb0nj7xyk m=1 mod=mail cmd=attachment file="loan repayment.pdf" type=pdf
Using the max_match parm with the rex command worked. Pat myself on the back.
Proofpoint now has a beta app that will allow you report on and visualze your Proofpoint Protection Server and TAP data! Check out the new app here:
https://splunkbase.splunk.com/app/3727/#/details
Be sure to follow the instructions listed in the details to get all the needed TA's etc that the app needs to work correctly.
There are pre-built dashboards to aid in searching for message events.
Using the max_match parm with the rex command worked. Pat myself on the back.