https://community.splunk.com/t5/Splunk-Search/Ironport-email-list-out-the-email-errors/m-p/130490#M184540 <P>It seems like there is not a lot of consistency between the types of errors, the formats of the lines, etc.<BR /> If you only have a few types of errors, you could do something like this</P> <PRE><CODE>yoursearchhere | eval errorType=case( match(_raw,"Bounced:\sDCID\s\d+.*?Unknown address error \(.550"),"Unknown address error 550", match(_raw,"Connection Error.*?ERROR\: Mail refused.*?reason\: unexpected SMTP response"),"Mail refused" 1==1,"No error" ) | where errorType!="No error" | timechart span=1h count by errorType </CODE></PRE> <P>But the <CODE>case</CODE> function may get unwieldy very quickly. I suggest that you use <CODE>eventtypes</CODE> to distinguish the types of errors. An eventtype defines a category of events based on a search - each eventtype has its own search. This facility can make things very simple - especially if you name all of the eventtypes with a simple prefix like <CODE>esa_</CODE> (for example <CODE>esa_450_host_rejected</CODE>).</P> <P>Once you have your eventtypes set up, your search and report could be very very simple:</P> <PRE><CODE>eventtype=esa* | timechart span=1h count by eventtype </CODE></PRE> <P>Learn about eventtypes in the <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Classifyandgroupsimilarevents">Knowledge Manager manual</A></P> Thu, 30 Jan 2014 06:07:57 GMT lguinn2 2014-01-30T06:07:57Z https://community.splunk.com/t5/Splunk-Search/Ironport-email-list-out-the-email-errors/m-p/130489#M184539 <P>Can anyone provide some sample search query to list out the errors?</P> <P>I have the error log shown as below and I want to do a statistic hourly/daily for different type of errors(450 -<BR /> Client host rejected， Cannot resolve PTR; 505 - client was not authenticated etc) happened.</P> <HR /> <P>Jan 30 01:56:28 10.0.0.12 Jan 30 09:59:56 Test_log_server: Info: Bounced: DCID 2415126 MID 3878944 to RID 0 - Bounced by destination server with response: 5.1.0 - Unknown address error ('550', ['User not found: <A href="mailto:testing@yahoo.com" target="_blank">testing@yahoo.com</A>']) </P> <P>Jan 30 01:55:00 10.0.0.12 Jan 30 09:58:27 Test_log_server: Info: Connection Error: DCID 2478960 domain: satx.rr.com IP: 75.321.123.243 port: 25 details: 554-'5.7.1 - ERROR: Mail refused - &lt;10.0.0.125&gt; - See htttp :// postmaster.rr.com/amIBlockedByRR?ip=10.0.0.125' interface: 10.0.0.125 reason: unexpected SMTP response</P> Mon, 28 Sep 2020 15:45:59 GMT https://community.splunk.com/t5/Splunk-Search/Ironport-email-list-out-the-email-errors/m-p/130489#M184539 vickileong 2020-09-28T15:45:59Z https://community.splunk.com/t5/Splunk-Search/Ironport-email-list-out-the-email-errors/m-p/130490#M184540 <P>It seems like there is not a lot of consistency between the types of errors, the formats of the lines, etc.<BR /> If you only have a few types of errors, you could do something like this</P> <PRE><CODE>yoursearchhere | eval errorType=case( match(_raw,"Bounced:\sDCID\s\d+.*?Unknown address error \(.550"),"Unknown address error 550", match(_raw,"Connection Error.*?ERROR\: Mail refused.*?reason\: unexpected SMTP response"),"Mail refused" 1==1,"No error" ) | where errorType!="No error" | timechart span=1h count by errorType </CODE></PRE> <P>But the <CODE>case</CODE> function may get unwieldy very quickly. I suggest that you use <CODE>eventtypes</CODE> to distinguish the types of errors. An eventtype defines a category of events based on a search - each eventtype has its own search. This facility can make things very simple - especially if you name all of the eventtypes with a simple prefix like <CODE>esa_</CODE> (for example <CODE>esa_450_host_rejected</CODE>).</P> <P>Once you have your eventtypes set up, your search and report could be very very simple:</P> <PRE><CODE>eventtype=esa* | timechart span=1h count by eventtype </CODE></PRE> <P>Learn about eventtypes in the <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Classifyandgroupsimilarevents">Knowledge Manager manual</A></P> Thu, 30 Jan 2014 06:07:57 GMT https://community.splunk.com/t5/Splunk-Search/Ironport-email-list-out-the-email-errors/m-p/130490#M184540 lguinn2 2014-01-30T06:07:57Z https://community.splunk.com/t5/Splunk-Search/Ironport-email-list-out-the-email-errors/m-p/130491#M184541 <P>hi Iguinn, Thank you very much.</P> Wed, 05 Feb 2014 01:13:30 GMT https://community.splunk.com/t5/Splunk-Search/Ironport-email-list-out-the-email-errors/m-p/130491#M184541 vickileong 2014-02-05T01:13:30Z