- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- checking list of email domains appear in a field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a field (recipient) which contains all the recipients that an email was sent to. I also have a lookupcsv file with field (watch) which list of domain address to look for e.g. gmail.com
How can I check to see if a domain from the lookup csv appears anywhere within the recipient field - I need it as a filter so I can do work with the remainder of the records data
I have gotten closet using
|join recipient [|inputlookup check.csv |rename watch as recipient|fields recipient]
but it is not returning enough matches.
Many thanks for any pointers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
if you have a lookup with a field watch and lets say the value of "yes" and "no", you can use the | lookup command
like this : | lookup check.csv recipient OUTPUT watch you could add | fields recipient watch (assuming the field with the domains within the check.csv is called recipient)
then you can search for the value yes within the field watch your search| lookup check.csv recipient OUTPUT watch | fields recipient watch | where watch="yes"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
please accept answer if it was helpful 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Can you try this ?
Extract Domain from the recipient field and join with the Check.csv . Try the below query
| rex field=Recipient "\@(?[^.]*)" | eval Found= "N" | table Recipient Domain | join Domain [ | inputlookup Check.csv | eval Found="Y" | table Domain Found]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
if you have a lookup with a field watch and lets say the value of "yes" and "no", you can use the | lookup command
like this : | lookup check.csv recipient OUTPUT watch you could add | fields recipient watch (assuming the field with the domains within the check.csv is called recipient)
then you can search for the value yes within the field watch your search| lookup check.csv recipient OUTPUT watch | fields recipient watch | where watch="yes"
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
