Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to generate a search to sort based on domain names and count the number of emails from the domain?

rvinjana
Explorer
‎03-13-2017 03:59 AM

i have a search with multiple domains in the email address , i need to sort it based on domain names and number of emails from the domain . here is the output from from which i need to sort 

source email id , destination email id , email subject .

count emails based on domain of the source email

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎03-13-2017 08:37 AM 
(your base search that results in one record per email with source, dest and subject...) 
| table EmailSource EmailDest EmailSubject
| rex field=EmailSource "[^@]*@(?<DomainSource>.*)"
| fillnull DomainSource value="((Domain not found))"
| eventstats count as DomainCount by DomainSource
| sort 0 -DomainCount DomainSource EmailSource
| table DomainSource DomainCount EmailSource EmailDest EmailSubject

Ans a run-anywhere search with some test data to prove out the above code...

| makeresults 
| eval mydata="junkemail,dest1@dest.com,Test Bad Email!!!!bill2@gates.com,dest2@dest2.com,Pay Me Now!!!!bill1@gates.com,dest3@dest2.com,Pay Me Now!!!!bill1@gates.com,dest4@dest4.com,Pay Me Now Or Else!!!!steve@apple.com,everybody@world.com,I Am Risen Because It's Cool" 
| makemv delim="!!!!" mydata 
| mvexpand mydata 
| makemv delim="," mydata
| eval EmailSource=mvindex(mydata,0),  EmailDest=mvindex(mydata,1), EmailSubject=mvindex(mydata,2)
| table EmailSource EmailDest EmailSubject

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎03-13-2017 08:37 AM 
(your base search that results in one record per email with source, dest and subject...) 
| table EmailSource EmailDest EmailSubject
| rex field=EmailSource "[^@]*@(?<DomainSource>.*)"
| fillnull DomainSource value="((Domain not found))"
| eventstats count as DomainCount by DomainSource
| sort 0 -DomainCount DomainSource EmailSource
| table DomainSource DomainCount EmailSource EmailDest EmailSubject

Ans a run-anywhere search with some test data to prove out the above code...

| makeresults 
| eval mydata="junkemail,dest1@dest.com,Test Bad Email!!!!bill2@gates.com,dest2@dest2.com,Pay Me Now!!!!bill1@gates.com,dest3@dest2.com,Pay Me Now!!!!bill1@gates.com,dest4@dest4.com,Pay Me Now Or Else!!!!steve@apple.com,everybody@world.com,I Am Risen Because It's Cool" 
| makemv delim="!!!!" mydata 
| mvexpand mydata 
| makemv delim="," mydata
| eval EmailSource=mvindex(mydata,0),  EmailDest=mvindex(mydata,1), EmailSubject=mvindex(mydata,2)
| table EmailSource EmailDest EmailSubject
0 Karma
Reply
Solved! Jump to solution

rvinjana
Explorer
‎03-23-2017 09:16 AM

this is awesome thanks a lot

0 Karma
Reply
Solved! Jump to solution

asimagu
Builder
‎03-13-2017 07:38 AM

have you created the field extractions for your data?

0 Karma
Reply
Solved! Jump to solution

naidusadanala
Communicator
‎03-13-2017 08:12 AM

can you post your existing spl ?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...