I am working with an event log from an email system where all the different recipients of an email are being listed and I have taken that field from a single value field to a multivalue field. What I am trying to do is match the recipient's domain to a list of approved domain items and only those domains. I am having difficulty because if I specify something like the following
index=email | makemv delim="," recipient | recipient=*domain1.com OR *domain2.com
I end up getting emails that could contain anything that has either of those in their, including emails that contain domain1.com, domain2.com, and domain3.com in them (domain3.com being unacceptable to have included in this). I want to restrict the search for only those events that have addresses from the list of domains that are approved for sending information and any emails that contain those domains and other domains that are not on that list excluded; going back to my example here is simple illustration of what I am looking for:
included - recipient=user@domain1.com,user@domain2.com
included - recipient=user@domain1.com
included - recipient=user@domain2.com
excluded - recipient=user@domain1.com,user@domain3.com
excluded - recipient=user@domain3.com
excluded - recipient=user@domain2.com,user@domain3.com
any ideas on how to achieve this would be appreciated.
... View more