Hello
We want to see a statistic of outgoing mails/which domain sends how many.
Filtering by source user is easy, however what I would need is the domain, not the precise E-Mail address.
Is there a way to filter by only what comes after the @, so I can make a chart with only that information.
Or is there a way to get the more precise Domain.
cheers, and happy holidays
Mike
Best answer by Nils Krumey
View original
+7
There’s different ways of interpreting what you might mean by “filtering on”, but in any case it is probably easiest to use the “norm on” command to create a new field out of your logs’ sender field with just the domain part that you need. You can then do whatever you need to with your new domain field.
E.g.
sender=* | norm on sender @<email_domain:string>Having said that, I believe at least the normaliser for the Exchange Message Tracing logs from Microsoft 365 already includes a “Server” field that contains the domain name, so I guess it depends on where your logs containing those email addresses come from whether you need to do this or not.
Thanks for the quick response.
When I now try to do a chart count() by sender I get Null
Which I am sure means I did something wrong.
As for the Microsoft 365 I don’t see a field that would have the Domain of each seperate mail “domain” as multiple ones are running on the same exchange.
With filter I mean that we have currently multiple mail domains e.g test123@muster.com, muster@test.com and xyz@example.ch and I wanna filter/chart count how many mails, are sent by each individual Domain.
+7
I might have misinterpreted the server field based on our limited demo log data, so ignore that one - but the “norm on” field should work. If you’re getting null on the sender field then there’s definitely something wrong - the “norm on” splits the domain out into a field called “email_domain”, and you should be able to sort by that. It doesn’t even touch the sender field…
I see interesting
I have tried it with this
"outbound_interface" = "OutgoingMail" norm_id=CEF | norm on sender @<email_domain:string> | chart count() by email_Domain
And this
"outbound_interface" = "OutgoingMail" norm_id=CEF | norm on sender @<email_domain:string> | chart count() by sender
And both return null.
+7
Do you have an example of your logs - where do they come from? It sounds a bit like you don’t have a sender field to begin with - what field is the username@domain value held in? The above hinges on you pointing the norm command at the right field…
Aha yes I used the wrong field, the “sender” had to be Source_User, now it is working, Thank you.
Already have an account? Login
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.