I am very new to splunk and still learning, but have a need to get some IP addresses from a very large log file. Basically how the log file works is the IP address is at the end of the line and when that IP errors the following 2 lines in the log give some information on it. But I am needing to build a list of IP's that have errored. The log looks like this:
2012-05-23 00:00:56,578  INFO Messaging.Common.LogUtil - UploadServer: Receiving SMail upload request from : 192.168.178.245 2012-05-23 00:00:56,578  ERROR Messaging.Common.LogUtil - UploadServer: File either not sent or length is invalid 2012-05-23 00:00:56,578  ERROR Messaging.Common.LogUtil - UploadServer: SMail message NOT stored - Returning error message: 2 - ERROR: File was not valid or no file was attempted to be sent
You notice there is a # in [ ] that is the same as the line that has the IP, this lets us know that this was the IP that had the error. I am not sure how to use these things to get me the list of IP's I need. Thank you for your help.
your search | rex "(?<src_ip>\d+\.\d+\.\d+\.\d+)" | rex "\s\[(?<tid>[^\]]+)\]" | transaction tid
The result should be all the events with the same transaction id (tid) grouped together with the src_ip field's value as the IP address in the first event.