Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter a multivalue field so it returns results containing 3 or more values?

cm22486
Path Finder
‎05-17-2017 11:23 AM

Hello, thanks in advance for the help. I'd like to filter a multivalue field to where it will only return results that contain 3 or more values. This is in regards to email querying.

I am trying to figure out when somebody's account has been phished, because when they are phished, the attacker keeps sending out gobs of spam to gmail and hotmail addresses.

My fields are _time, sender, sender_domain, recipient, and message_subject

The recipient field will have up to 100 recipients. I want it to only show results that have greater than 2 recipients, and the recipients have at least one @gmail.com address, or @hotmail.com address. Below is the search I use, but obviously needs work.

sourcetype=MSExchange:2013:MessageTracking |dedup sender,recipient,message_subject, message_id |table _time sender sender_domain recipient recipient_domain message_subject |sort -_time |
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-17-2017 11:46 AM

Try like this (assuming field recipient is mulitivalued field. You may not need the makemv command)
Updated

sourcetype=MSExchange:2013:MessageTracking |dedup sender,recipient,message_subject, message_id |table _time sender sender_domain recipient recipient_domain message_subject | makemv recipient
| where mvcount(recipient)>2 AND (isnotnull(mvfind(recipient,"\.gmail\.com")) OR isnotnull(mvfind(recipient,"\.hotmail\.com")))

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-17-2017 01:18 PM

Like this:

sourcetype=MSExchange:2013:MessageTracking
|dedup sender,recipient,message_subject, message_id
| where mvcount(recipient) >= 3 AND isnotnull(mvfilter(match(recipient, "@(?:gmail|hotmail)\.com$")))
| table _time sender sender_domain recipient recipient_domain message_subject
Reply
Solved! Jump to solution

DalJeanis
Legend
‎05-17-2017 12:18 PM 
| where mvcount (mvfilter (match (recipient,"\.gmail\.com") OR match (recipient,"\.hotmail\.com") ) )>2

updated to add one more close parenthesis.

Reply
Solved! Jump to solution

cm22486
Path Finder
‎05-17-2017 12:19 PM

Error in 'where' command: The expression is malformed. Expected ).

Reply
Solved! Jump to solution

DalJeanis
Legend
‎05-17-2017 04:53 PM

Added one close paren.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-17-2017 11:46 AM

Try like this (assuming field recipient is mulitivalued field. You may not need the makemv command)
Updated

sourcetype=MSExchange:2013:MessageTracking |dedup sender,recipient,message_subject, message_id |table _time sender sender_domain recipient recipient_domain message_subject | makemv recipient
| where mvcount(recipient)>2 AND (isnotnull(mvfind(recipient,"\.gmail\.com")) OR isnotnull(mvfind(recipient,"\.hotmail\.com")))
Reply
Solved! Jump to solution

cm22486
Path Finder
‎05-17-2017 12:19 PM

"Error in 'where' command: The arguments to the 'mvfind' function are invalid."

0 Karma
Reply
Solved! Jump to solution

cm22486
Path Finder
‎05-17-2017 12:34 PM

That did it! Thanks!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-17-2017 12:23 PM

Try the updated answer.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...