Filter only part of a field

Mike Furrer

December 27, 2023 10:21

Hello

We want to see a statistic of outgoing mails/which domain sends how many.

Filtering by source user is easy, however what I would need is the domain, not the precise E-Mail address.
Is there a way to filter by only what comes after the @, so I can make a chart with only that information.
Or is there a way to get the more precise Domain.

cheers, and happy holidays

Mike

6 comments

Date Votes

Nils Krumrey December 27, 2023 10:33

There’s different ways of interpreting what you might mean by “filtering on”, but in any case it is probably easiest to use the “ norm on ” command to create a new field out of your logs’ sender field with just the domain part that you need. You can then do whatever you need to with your new domain field.

E.g.

sender=* | norm on sender @<email_domain:string>

Having said that, I believe at least the normaliser for the Exchange Message Tracing logs from Microsoft 365 already includes a “Server” field that contains the domain name, so I guess it depends on where your logs containing those email addresses come from whether you need to do this or not.

Mike Furrer December 27, 2023 12:17

Thanks for the quick response.
When I now try to do a chart count() by sender I get Null
Which I am sure means I did something wrong.

As for the Microsoft 365 I don’t see a field that would have the Domain of each seperate mail “domain” as multiple ones are running on the same exchange.
With filter I mean that we have currently multiple mail domains e.g test123@muster.com, muster@test.com and xyz@example.ch and I wanna filter/chart count how many mails, are sent by each individual Domain.

Nils Krumrey December 27, 2023 12:24

I might have misinterpreted the server field based on our limited demo log data, so ignore that one - but the “norm on” field should work. If you’re getting null on the sender field then there’s definitely something wrong - the “norm on” splits the domain out into a field called “email_domain”, and you should be able to sort by that. It doesn’t even touch the sender field…

Mike Furrer December 27, 2023 12:37

I see interesting
I have tried it with this
"outbound_interface" = "OutgoingMail" norm_id=CEF | norm on sender @<email_domain:string> | chart count() by email_Domain

And this
"outbound_interface" = "OutgoingMail" norm_id=CEF | norm on sender @<email_domain:string> | chart count() by sender

And both return null.

Nils Krumrey December 27, 2023 15:13

Do you have an example of your logs - where do they come from? It sounds a bit like you don’t have a sender field to begin with - what field is the username@domain value held in? The above hinges on you pointing the norm command at the right field…

Mike Furrer December 28, 2023 07:45

Aha yes I used the wrong field, the “sender” had to be Source_User, now it is working, Thank you.

Please sign in to leave a comment.