- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: search requires stitching together two distinc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
search requires stitching together two distinct events from a single sourcetype
i require some assistance in my search query where i need to search a mail log to extract the highest recipients by message size based upon a unique common id.
as i am able to search events by the size field to see the values of message size from the senders addresses but i am unable to search this by the recipients address including to show the unique ID.
so i need to combine these two events first showing the message size and then the recipient addresses based upon a common queue ID. i know the stats function is more beneficial than the transaction command as it is costly. Also i believe i am able to chart it through xyseries but i'm unsure how to put this together as i have tried a various types of stats commands trying to put this together but i have a strong feeling i'm not executing it correctly
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@danesh_shah ,
Did you try stats values(recipient ) as recipient ,values(senders) as senders,max(message_size) by unqiue_id
If its not working, would it be possible to share some sample events after masking any sensitive data?
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi - Thanks, how can i produce this as a chart to show each value i.e. message size, unique ID and the recipient address?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i can visualise this as a chart but it only displays the chart over unique id by message size i need to show the recipients also
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=maildata sourcetype="email_log"
| stats values(from) as senders ,values(to) as recipients,max(size) as "Message SIze" by qid
| rename qid as "Unique ID"
| sort 10 -"Message Size"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@danesh_shah , it will be helpful if you have a sample events for both sender and recipient event. Please mask any sensitive information if needed
What goes around comes around. If it helps, hit it with Karma 🙂
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
