Take output of one search and use to create a tabl...

johntaddei · ‎07-06-2015

Hi - email guy here...
I need to query message headers that meet a criteria, then use the returned QueueIDs to run a second search that produces a table of information.

Jul 6 14:41:55 blah.com sm-mta[2048]: t66Ifbqe002048: Milter insert (2147483646): header: X-IBE-Encrypted-Signer-District: blah.com
host = mailserver.blah index = mail source = /var/log/maillog sourcetype = mail
7/6/15
2:35:45.000 PM

Jul 6 14:35:45 blah2.com sm-mta[28881]: t66IZiJ6028881: Milter insert (2147483646): header: X-IBE-Encrypted-Signer-District: blah2.com
host = mailserver.blah2.com index = mail source = /var/log/maillog sourcetype = mail

The above t66 values should be the input to a second query that gets me the message information like "To: From:", etc.

I would like a chart that shows:

Domain Name To: From:
blah.com john.doe@somedomain.com user1@blah.com
blah2.com jane.doe@otherdomain.com newuser@blah2.com

woodcock · ‎07-06-2015

Like this (assuming all of your field extractions are already working; you may have to adjust my guesses at actual field names):

<search with domain/to/from> [ host = mailserver.blah2.com index = mail source = /var/log/maillog sourcetype = mail | dedup t66  | fileds t66 | rename t66 AS QueueID ] | fields "Domain Name" To From

woodcock · ‎07-17-2015

Did you get this working?

Take output of one search and use to create a table after looking up values

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?