Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Ironport email - list out the email errors
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vickileong
Explorer
01-29-2014
06:35 PM
Can anyone provide some sample search query to list out the errors?
I have the error log shown as below and I want to do a statistic hourly/daily for different type of errors(450 -
Client host rejected, Cannot resolve PTR; 505 - client was not authenticated etc) happened.
Jan 30 01:56:28 10.0.0.12 Jan 30 09:59:56 Test_log_server: Info: Bounced: DCID 2415126 MID 3878944 to RID 0 - Bounced by destination server with response: 5.1.0 - Unknown address error ('550', ['User not found: testing@yahoo.com'])
Jan 30 01:55:00 10.0.0.12 Jan 30 09:58:27 Test_log_server: Info: Connection Error: DCID 2478960 domain: satx.rr.com IP: 75.321.123.243 port: 25 details: 554-'5.7.1 - ERROR: Mail refused - <10.0.0.125> - See htttp :// postmaster.rr.com/amIBlockedByRR?ip=10.0.0.125' interface: 10.0.0.125 reason: unexpected SMTP response
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
01-29-2014
10:07 PM
It seems like there is not a lot of consistency between the types of errors, the formats of the lines, etc.
If you only have a few types of errors, you could do something like this
yoursearchhere
| eval errorType=case(
match(_raw,"Bounced:\sDCID\s\d+.*?Unknown address error \(.550"),"Unknown address error 550",
match(_raw,"Connection Error.*?ERROR\: Mail refused.*?reason\: unexpected SMTP response"),"Mail refused"
1==1,"No error"
)
| where errorType!="No error"
| timechart span=1h count by errorType
But the case function may get unwieldy very quickly. I suggest that you use eventtypes to distinguish the types of errors. An eventtype defines a category of events based on a search - each eventtype has its own search. This facility can make things very simple - especially if you name all of the eventtypes with a simple prefix like esa_ (for example esa_450_host_rejected).
Once you have your eventtypes set up, your search and report could be very very simple:
eventtype=esa*
| timechart span=1h count by eventtype
Learn about eventtypes in the Knowledge Manager manual
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
01-29-2014
10:07 PM
It seems like there is not a lot of consistency between the types of errors, the formats of the lines, etc.
If you only have a few types of errors, you could do something like this
yoursearchhere
| eval errorType=case(
match(_raw,"Bounced:\sDCID\s\d+.*?Unknown address error \(.550"),"Unknown address error 550",
match(_raw,"Connection Error.*?ERROR\: Mail refused.*?reason\: unexpected SMTP response"),"Mail refused"
1==1,"No error"
)
| where errorType!="No error"
| timechart span=1h count by errorType
But the case function may get unwieldy very quickly. I suggest that you use eventtypes to distinguish the types of errors. An eventtype defines a category of events based on a search - each eventtype has its own search. This facility can make things very simple - especially if you name all of the eventtypes with a simple prefix like esa_ (for example esa_450_host_rejected).
Once you have your eventtypes set up, your search and report could be very very simple:
eventtype=esa*
| timechart span=1h count by eventtype
Learn about eventtypes in the Knowledge Manager manual
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vickileong
Explorer
02-04-2014
05:13 PM
hi Iguinn, Thank you very much.
Get Updates on the Splunk Community!
Detecting Brute Force Account Takeover Fraud with Splunk
This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...
Buttercup Games: Further Dashboarding Techniques (Part 9)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games: Further Dashboarding Techniques (Part 8)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
