So I’m trying to link a couple different fields together to get the data I’m looking for, but it involves a couple steps and not sure how to put this subsearch together. I’ve been able to extract fields, but still some more steps to go. Anyway here is what I’m trying to do:
1 - Find MID’s from lines with “Veriifcation-Fail”
Jan 31 11:43:28 x.x.x.x mail_logs: Info: MID 401106733 Custom Log Entry: Verification-Fail
2 - Then search for that same MID to find the associated ICID
Jan 31 11:44:35 x.x.x.x mail_logs: Info: MID 1252214406 ICID 2116684223 From: user@company.com (with < > around email - will not come up in this editor)
3 - Then I take the ICID and search for that
grep 2116684223 logfile
Jan 31 11:44:35 x.x.x.x maillogs: Info: New SMTP ICID 2116684223 interface Data 1 (10.10.10.10) address 10.10.10.10 reverse dns host host.domain.local verified no
The data I need are the FROM: and the SMTP IP and HOST in bold above.
Any help at all is appreciated. Very new to splunk, but just need nudge in the right direction.
Thanks.
... View more