All Apps and Add-ons

Proofpoint logs in Splunk - some email events giving time gap issues ?

pgadhari
Builder

I want to find out all the senders to a particular recipient from my proofpoint logs coming into Splunk. I am facing one issue here. For some events the sender is showing as blank, but in reality the actual event shows the value of sender field. Most of the events the sender and recipient field has the same timestamp, but there are some events wherein there is delay of 4 to 5 seconds between sender event and recipient event, for which, the table is showing the sender as blank. Below is the query :

index=proofpoint sourcetype=pps_log mod=mail (cmd=env_rcpt OR cmd=env_from)  | eval Recipient=(if(cmd=="env_rcpt",value," "))  | eval Sender=(if(cmd=="env_from",value," "))  | stats values(Recipient) as Recipient,values(Sender) as Sender by _time,s|mvexpand Sender |where LIKE (Recipient,"pankaj.gadhari@domain.ae%") | eval Time=strftime(_time,"%d-%m-%Y %H:%M:%S")  | table Time Sender Recipient

How do I resolve the issue ? I want to show the Sender field, even when there is a time gap of 4 to 5 seconds between sender event and recipient event. Here the unique field is "s", which is the event id of the message.

Below images are the output of the result.

  1. The final table which shows some events has Sender as blank : https://ibb.co/ccD9QB5
  2. When timestamp matches for Sender and Recipient events, then Sender is displayed in the table : https://ibb.co/GpDwYPy
  3. When there is a gap of 4 to 5 seconds in both the events, Sender field is blank : https://ibb.co/r4dnpZt

Thanks
PG

0 Karma

pgadhari
Builder

can anyone reply on this issue ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...