Fix rename syntax for parsed_sample headers in Splunk DMARC forensic dashboard

2026-05-20 10:55:24 +00:00 · 2026-05-03 19:09:04 -04:00
parent 3b9e678533
commit 8317ffcde8
1 changed files with 4 additions and 4 deletions
@@ -1,8 +1,8 @@
 <form theme="dark" version="1.1">
-  <label>Forensic DMARC Data</label>
+  <label>DMARC Failure Data</label>
  <search id="base_search">
    <query>
-      index="email" sourcetype="dmarc:forensic"
+      index="email" (sourcetype="dmarc:forensic" sourcetype="dmarc:failure") 
      (parsed_sample.headers.From=$header_from$ OR NOT parsed_sample.headers.From=*)
      (parsed_sample.headers.To=$header_to$ OR NOT parsed_sample.headers.To=*)
      (parsed_sample.headers.Subject=$header_subject$ OR NOT parsed_sample.headers.Subject=*)
@@ -61,7 +61,7 @@
      <title>DMARC failure email samples</title>
      <table>
        <search base="base_search">
-          <query>| rename parsed_sample.headers.From as "from", parsed_sample.headers.Subject as subject, "parsed_sample.headers.In-Reply-To" as reply_to
+          <query>| rename parsed_sample.headers.from{}{} as from, parsed_sample.headers.Subject as subject, parsed_sample.headers.reply-to{}{} as reply_to
 | table arrival_date_utc, source.ip_address, "from", subject, reply_to, authentication_results
 | sort -arrival_date_utc</query>
        </search>
@@ -71,4 +71,4 @@
      </table>
    </panel>
  </row>
-</form>
+</form>