Hi
I'm trying to perform a subsearch to get a list of users in a lookup table and map the mail field to recipients and sender and perform a
search on recipients or sender. At the moment it's only performing the search if the recipients and senders are both as the recipients and sender .
Is there is a way to change it to search for recipients or senders that match to the fields instead of both fields need to match?
Here is my current search.
index=msexchange sourcetype="MSExchange:2010:MessageTracking" recipients=* OR sender=* [| inputlookup Finance_Users.csv | eval recipients = mail | eval sender = mail | fields recipients, sender] | dedup message_id | eval DLM = coalesce(SEC,DLM) |sort by -_time | convert timeformat="%d/%m/%Y %I:%M:%S %p" ctime(_time) | table _time, sender, recipient, message_subject, DLM | rename sender as Sender, recipient as Recipient, _time as Time, message_subject as Subject
Try like this
index=msexchange sourcetype="MSExchange:2010:MessageTracking" [| inputlookup Finance_Users.csv | eval recipients = mail | eval sender = mail | fields recipients, sender | format "(" "" "OR" "" "OR" ")" ] | dedup message_id | eval DLM = coalesce(SEC,DLM) |sort by -_time | convert timeformat="%d/%m/%Y %I:%M:%S %p" ctime(_time) | table _time, sender, recipient, message_subject, DLM | rename sender as Sender, recipient as Recipient, _time as Time, message_subject as Subject
Thanks worked perfectly.
Try like this
index=msexchange sourcetype="MSExchange:2010:MessageTracking" [| inputlookup Finance_Users.csv | eval recipients = mail | eval sender = mail | fields recipients, sender | format "(" "" "OR" "" "OR" ")" ] | dedup message_id | eval DLM = coalesce(SEC,DLM) |sort by -_time | convert timeformat="%d/%m/%Y %I:%M:%S %p" ctime(_time) | table _time, sender, recipient, message_subject, DLM | rename sender as Sender, recipient as Recipient, _time as Time, message_subject as Subject