Splunk contains various visualizations allowing you to create charts and dashboards based on the imported data, and for your consideration we have included a range of example below.
In the following examples we have used the variable
<INDEX_NAME> to indicate the name of your index used by Splunk to store the imported data. If this is the only data stored in Splunk, the index may be left out.
Traffic origins based on the sender IP address
index=<INDEX_NAME> | iplocation sender_ip | stats count by Country | sort = count
Volume of blocked mail by classification
index="<INDEX_NAME>" main_class="blacklisted" OR main_class="not-spam" OR main_class="phish" OR main_class="virus" | timechart count as main_class by sub_class
Most common top-level domains across mail
index="<INDEX_NAME>" | stats count by sender
| rex field=sender "\@(?<domain_detected>.*)"
| stats sum(count) as count by domain_detected
| eval list="*"
| `ut_parse_extended(domain_detected, list)`| top ut_tld limit=100
In Splunk, you can save queries, generate alerts based on queries, and build dashboards based on the mail data, such as this simple accuracy dashboard.