Can anyone provide some sample search query to list out the errors?
I have the error log shown as below and I want to do a statistic hourly/daily for different type of errors(450 -
Client host rejected, Cannot resolve PTR; 505 - client was not authenticated etc) happened.
Jan 30 01:56:28 10.0.0.12 Jan 30 09:59:56 Test_log_server: Info: Bounced: DCID 2415126 MID 3878944 to RID 0 - Bounced by destination server with response: 5.1.0 - Unknown address error ('550', ['User not found: testing@yahoo.com'])
Jan 30 01:55:00 10.0.0.12 Jan 30 09:58:27 Test_log_server: Info: Connection Error: DCID 2478960 domain: satx.rr.com IP: 75.321.123.243 port: 25 details: 554-'5.7.1 - ERROR: Mail refused - <10.0.0.125> - See htttp :// postmaster.rr.com/amIBlockedByRR?ip=10.0.0.125' interface: 10.0.0.125 reason: unexpected SMTP response
It seems like there is not a lot of consistency between the types of errors, the formats of the lines, etc.
If you only have a few types of errors, you could do something like this
yoursearchhere
| eval errorType=case(
match(_raw,"Bounced:\sDCID\s\d+.*?Unknown address error \(.550"),"Unknown address error 550",
match(_raw,"Connection Error.*?ERROR\: Mail refused.*?reason\: unexpected SMTP response"),"Mail refused"
1==1,"No error"
)
| where errorType!="No error"
| timechart span=1h count by errorType
But the case
function may get unwieldy very quickly. I suggest that you use eventtypes
to distinguish the types of errors. An eventtype defines a category of events based on a search - each eventtype has its own search. This facility can make things very simple - especially if you name all of the eventtypes with a simple prefix like esa_
(for example esa_450_host_rejected
).
Once you have your eventtypes set up, your search and report could be very very simple:
eventtype=esa*
| timechart span=1h count by eventtype
Learn about eventtypes in the Knowledge Manager manual
It seems like there is not a lot of consistency between the types of errors, the formats of the lines, etc.
If you only have a few types of errors, you could do something like this
yoursearchhere
| eval errorType=case(
match(_raw,"Bounced:\sDCID\s\d+.*?Unknown address error \(.550"),"Unknown address error 550",
match(_raw,"Connection Error.*?ERROR\: Mail refused.*?reason\: unexpected SMTP response"),"Mail refused"
1==1,"No error"
)
| where errorType!="No error"
| timechart span=1h count by errorType
But the case
function may get unwieldy very quickly. I suggest that you use eventtypes
to distinguish the types of errors. An eventtype defines a category of events based on a search - each eventtype has its own search. This facility can make things very simple - especially if you name all of the eventtypes with a simple prefix like esa_
(for example esa_450_host_rejected
).
Once you have your eventtypes set up, your search and report could be very very simple:
eventtype=esa*
| timechart span=1h count by eventtype
Learn about eventtypes in the Knowledge Manager manual
hi Iguinn, Thank you very much.