Hi guys,
I'm trying to create a query for a phishing mail tracking dashboard. The problem that i'm facing is, that a correlation has to be done trough the different index's and sources to get all the relevant information for one event.
One step is to search for a specific sender in the "filterlog" sourcetype, take the corresponding "message_session_id" from the results and run a new search on the same index and sourcetype to get all relevant data for a specific email. Unfortunately the infos like attachment file name, file type and action are distributed trough different events, which are identifiable trough the unique "message_session_id".
Therefore, this query gives me the results that i need:
index=A sourcetype=filterlog
[search index=A sourcetype=filterlog src_user="A@gmail.com" | return $message_session_id]
The next step would be, to search on a second index B in the sourcetype "sentrion" for additional data that is not available on index A. The common filed on both indexes would be the "message_id" field. At the end, i want to get one event out off the data of the different indexes and data sources for one email. But i did not figured it out, how to keep the results from the subsearches. I tried join, union and append without success. Every time when i use join or append, the query gives me back way more results that expected.
I tried something like this, but without success, because i'm losing the results from the subsearches and i didn't figured it out, how to integrate the return function properly, to search for all the related infos for one specific email in the "filterlog" sourcetype based on the "message_session_id":
index=A sourcetype=filterlog
[ search index=msgbackbone sourcetype=filterlog:pps:extmail
[ search index=B sourcetype=sentrion sender="A@gmail.com" | fields + message_id ] | fields + message_session_id ]
| stats values(_time) as _time, values(recipient) as recipient, values(subject) as subject, values(qid) as qid, values(action) as action, values(file_name) as file_name, values(file_type) as file_type by message_id sender
What would be the right way to address this? Should i use join or append to keep the results? Or should i use the transaction function?
Please excuse, my knowledge is quite limited in Splunk, some hints would be very appreciated.
Thanks in advance and Cheers,
Joel
... View more