Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter a multivalue field so it returns results containing 3 or more values?

cm22486
Path Finder
‎05-17-2017 11:23 AM

Hello, thanks in advance for the help. I'd like to filter a multivalue field to where it will only return results that contain 3 or more values. This is in regards to email querying.

I am trying to figure out when somebody's account has been phished, because when they are phished, the attacker keeps sending out gobs of spam to gmail and hotmail addresses.

My fields are _time, sender, sender_domain, recipient, and message_subject

The recipient field will have up to 100 recipients. I want it to only show results that have greater than 2 recipients, and the recipients have at least one @gmail.com address, or @hotmail.com address. Below is the search I use, but obviously needs work.

sourcetype=MSExchange:2013:MessageTracking |dedup sender,recipient,message_subject, message_id |table _time sender sender_domain recipient recipient_domain message_subject |sort -_time |
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-17-2017 11:46 AM

Try like this (assuming field recipient is mulitivalued field. You may not need the makemv command)
Updated

sourcetype=MSExchange:2013:MessageTracking |dedup sender,recipient,message_subject, message_id |table _time sender sender_domain recipient recipient_domain message_subject | makemv recipient
| where mvcount(recipient)>2 AND (isnotnull(mvfind(recipient,"\.gmail\.com")) OR isnotnull(mvfind(recipient,"\.hotmail\.com")))

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-17-2017 01:18 PM

Like this:

sourcetype=MSExchange:2013:MessageTracking
|dedup sender,recipient,message_subject, message_id
| where mvcount(recipient) >= 3 AND isnotnull(mvfilter(match(recipient, "@(?:gmail|hotmail)\.com$")))
| table _time sender sender_domain recipient recipient_domain message_subject
Reply
Solved! Jump to solution

DalJeanis
Legend
‎05-17-2017 12:18 PM 
| where mvcount (mvfilter (match (recipient,"\.gmail\.com") OR match (recipient,"\.hotmail\.com") ) )>2

updated to add one more close parenthesis.

Reply
Solved! Jump to solution

cm22486
Path Finder
‎05-17-2017 12:19 PM

Error in 'where' command: The expression is malformed. Expected ).

Reply
Solved! Jump to solution

DalJeanis
Legend
‎05-17-2017 04:53 PM

Added one close paren.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-17-2017 11:46 AM

Try like this (assuming field recipient is mulitivalued field. You may not need the makemv command)
Updated

sourcetype=MSExchange:2013:MessageTracking |dedup sender,recipient,message_subject, message_id |table _time sender sender_domain recipient recipient_domain message_subject | makemv recipient
| where mvcount(recipient)>2 AND (isnotnull(mvfind(recipient,"\.gmail\.com")) OR isnotnull(mvfind(recipient,"\.hotmail\.com")))
Reply
Solved! Jump to solution

cm22486
Path Finder
‎05-17-2017 12:19 PM

"Error in 'where' command: The arguments to the 'mvfind' function are invalid."

0 Karma
Reply
Solved! Jump to solution

cm22486
Path Finder
‎05-17-2017 12:34 PM

That did it! Thanks!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-17-2017 12:23 PM

Try the updated answer.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...