From 5ba72d278326c0e69b686d5d087e79db33deaad7 Mon Sep 17 00:00:00 2001 From: Sean Whalen Date: Sun, 3 May 2026 15:27:43 -0400 Subject: [PATCH] Add source AS name to fillnull and search queries in DMARC aggregate dashboard --- dashboards/splunk/dmarc_aggregate_dashboard.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dashboards/splunk/dmarc_aggregate_dashboard.xml b/dashboards/splunk/dmarc_aggregate_dashboard.xml index 70f1bec..b494797 100644 --- a/dashboards/splunk/dmarc_aggregate_dashboard.xml +++ b/dashboards/splunk/dmarc_aggregate_dashboard.xml @@ -5,7 +5,7 @@ index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | rename spf_results{}.domain as envelope_domain spf_results{}.result as spf_result spf_results{}.scope as spf_scope dkim_results{}.selector as dkim_selector dkim_results{}.domain as dkim_domain dkim_results{}.result as dkim_result - | fillnull value=null source_reverse_dns source_base_domain dkim_selector dkim_domain dkim_result source_type source_name + | fillnull value=null source_reverse_dns source_base_domain dkim_selector dkim_domain dkim_result source_type source_name source_as_name | search dkim_selector=$dkim_selector$ dkim_domain=$dkim_domain$ source_type="$source_type$" source_name="$source_name$" source_as_name="$source_as_name$" | table *