I am monitoring emails and have a list of addresses emails are being sent to.
We have a list of companies which are OK to email which currently numbers just over a 1000 and will change.
(some example names to use (a.com, b.eu, and c.uk, on OKaddress.csv)
How do I create a query that will ignore emails from the list even though we could have john@b.eu, jane@b.eu so cannot use a list of all contacts?
I am new to Splunk and searches for a solution and checking user manual haven't helped - so many thanks in advance for any help.
Hello @ChrisCLewis,
As you have a csv file containing the list of valid companies, it sould be quite easy to:
rex
commandWhats the current search you're using to search your logs? What's the expected output?
Hello @ChrisCLewis,
As you have a csv file containing the list of valid companies, it sould be quite easy to:
rex
commandGood afternoon,
Many thanks for a speedy reply.
I've found the Regex command to get domains from email addresses (made slightly more complicated as there is often more than one recipeint).
index="XYZ" earliest=07/01/2018:00:00:00 latest=07/31/2018:23:59:59 Address=@
| rex max_match=0 field=Address "(?[^@]+)@(?[^,\"\s\;]+)"
But I am having difficulty getting the output from Regex to work with the inputlookup approach to look for addresses:
| source=domain NOT [ inputlookup company.csv | fields company ] | dedup company | fields company