Solved: SPL for Correlation search in enterprise security?

vikram1583 · ‎10-09-2019

index=email
| transaction mid icid
| stats count(recipient) as receipent_count by sender
| where receipent_count>100

I am using this in a correlation search but it is returning only sender information in fields but I want src_ip ,dest_ip and src_user can some one help me in modifying the search

woodcock · ‎10-13-2019

Like this:

index=email
| transaction mid icid
| stats count(recipient) as recipient_count BY sender src_ip dest_ip src_user
| where recipient_count>100

View solution in original post

woodcock · ‎10-13-2019

Like this:

index=email
| transaction mid icid
| stats count(recipient) as recipient_count BY sender src_ip dest_ip src_user
| where recipient_count>100

ashajambagi · ‎10-10-2019

Hi @vikram1583 ,

Stats command filter out the fields include the required fields in the stats or you can try using eventstats

index=email 
| transaction mid icid 
| stats count(recipient) as receipent_count values(src_ip) values(dest_ip) values(user) by sender 
| where receipent_count>100

SPL for Correlation search in enterprise security?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms