I would like to compare two field values and return a new field with a percent match between the two.
Current search:
index=dlp severity="1:High" sender!="N/A"
| table _time, sender, recipients, Filename, Count, severity, incident_id, policy,
| sort -_time
For example, if part of my search returns
sender: John.Smith@Coolcompany.com
Recipients: JohnSmith546@mail.com
I would like a new field named PercentMatch to return
PercentMatch: 80% ( or whatever the actual calculation may be)
The goal is to help determine when users are sending themselves emails to their personal account. Thank you
... View more