Splunk Search

Ironport email - list out the email errors

vickileong
Explorer

Can anyone provide some sample search query to list out the errors?

I have the error log shown as below and I want to do a statistic hourly/daily for different type of errors(450 -
Client host rejected, Cannot resolve PTR; 505 - client was not authenticated etc) happened.


Jan 30 01:56:28 10.0.0.12 Jan 30 09:59:56 Test_log_server: Info: Bounced: DCID 2415126 MID 3878944 to RID 0 - Bounced by destination server with response: 5.1.0 - Unknown address error ('550', ['User not found: testing@yahoo.com'])

Jan 30 01:55:00 10.0.0.12 Jan 30 09:58:27 Test_log_server: Info: Connection Error: DCID 2478960 domain: satx.rr.com IP: 75.321.123.243 port: 25 details: 554-'5.7.1 - ERROR: Mail refused - <10.0.0.125> - See htttp :// postmaster.rr.com/amIBlockedByRR?ip=10.0.0.125' interface: 10.0.0.125 reason: unexpected SMTP response

Tags (1)
0 Karma
1 Solution

lguinn2
Legend

It seems like there is not a lot of consistency between the types of errors, the formats of the lines, etc.
If you only have a few types of errors, you could do something like this

yoursearchhere
 | eval errorType=case(
    match(_raw,"Bounced:\sDCID\s\d+.*?Unknown address error \(.550"),"Unknown address error 550",
    match(_raw,"Connection Error.*?ERROR\: Mail refused.*?reason\: unexpected SMTP response"),"Mail refused"
    1==1,"No error"
    )
| where errorType!="No error"
| timechart span=1h count by errorType

But the case function may get unwieldy very quickly. I suggest that you use eventtypes to distinguish the types of errors. An eventtype defines a category of events based on a search - each eventtype has its own search. This facility can make things very simple - especially if you name all of the eventtypes with a simple prefix like esa_ (for example esa_450_host_rejected).

Once you have your eventtypes set up, your search and report could be very very simple:

eventtype=esa*
| timechart span=1h count by eventtype

Learn about eventtypes in the Knowledge Manager manual

View solution in original post

0 Karma

lguinn2
Legend

It seems like there is not a lot of consistency between the types of errors, the formats of the lines, etc.
If you only have a few types of errors, you could do something like this

yoursearchhere
 | eval errorType=case(
    match(_raw,"Bounced:\sDCID\s\d+.*?Unknown address error \(.550"),"Unknown address error 550",
    match(_raw,"Connection Error.*?ERROR\: Mail refused.*?reason\: unexpected SMTP response"),"Mail refused"
    1==1,"No error"
    )
| where errorType!="No error"
| timechart span=1h count by errorType

But the case function may get unwieldy very quickly. I suggest that you use eventtypes to distinguish the types of errors. An eventtype defines a category of events based on a search - each eventtype has its own search. This facility can make things very simple - especially if you name all of the eventtypes with a simple prefix like esa_ (for example esa_450_host_rejected).

Once you have your eventtypes set up, your search and report could be very very simple:

eventtype=esa*
| timechart span=1h count by eventtype

Learn about eventtypes in the Knowledge Manager manual

0 Karma

vickileong
Explorer

hi Iguinn, Thank you very much.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...