Hi, I was hoping to get help for a search. I haven't had much time to spend on it so I apoligize for not trying harder 1st.
I've started out with below, but both searches only return 2 results, even though there are over 1K log entries of the same format.
index=xyz | transaction startswith="cmd=connect" endswith="cmd=disconnect" OR: index=xyz * | transaction s,m maxspan=301s startswith="mod=session cmd=connect" endswith="mod=session cmd=disconnect"
I want to pull items such as value=abc@xyz.com where have cmd=env_rcpt, value=uvh@gmail.com where have cmd=env_from and pull 'subject' and various scores, like '3' from: suspectscore=3
The log entries are of the format below.
Thanks
[2011-10-23 16:05:59.502387 +0000] rprt s=10kch03n9t mod=session cmd=connect ip=209.85.210.182 perlwait=0.085 [2011-10-23 16:06:26.251606 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=env_from value=uvh@gmail.com qid=p9NG5xMt010615 ip=209.85.210.182 [2011-10-23 16:06:26.405437 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=env_rcpt r=1 value=abc@xyz.com verified= routes= [2011-10-23 16:06:26.875486 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=spam cmd=run score=0 spamscore=0 ipscore=0 suspectscore=3 phishscore=0 bulkscore=0 adultscore=0 duration=0.091 [2011-10-23 16:06:26.879828 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=msg module=spf rule=pass action=continue attachments=0 rcpts=1 subject="Hi" spamscore=0 [2011-10-23 16:06:56.927722 +0000] rprt s=10kch03n9t mod=session cmd=disconnect module= rule= action= helo=mail-iy0-f182.google.com msgs=3 rcpts=3 routes= duration=1.119 elapsed=57.43
[2011-10-23 17:05:59.502387 +0000] rprt s=10kch03n9t mod=session cmd=connect ip=209.85.210.182 perlwait=0.085 [2011-10-23 17:06:26.251606 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=env_from value=xyz@hotmail.com qid=p9NG5xMt010615 ip=209.85.210.182 [2011-10-23 17:06:26.405437 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=env_rcpt r=1 value=123@xyz.com verified= routes= [2011-10-23 17:06:26.875486 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=spam cmd=run score=0 spamscore=0 ipscore=0 suspectscore=3 phishscore=0 bulkscore=0 adultscore=0 duration=0.091 [2011-10-23 17:06:26.879828 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=msg module=spf rule=pass action=continue attachments=0 rcpts=1 subject="Hi" spamscore=0 [2011-10-23 17:06:56.927722 +0000] rprt s=10kch03n9t mod=session cmd=disconnect module= rule= action= helo=mail-iy0-f182.google.com msgs=3 rcpts=3 routes= duration=1.119 elapsed=57.43
[2011-10-23 18:05:59.502387 +0000] rprt s=10kch03n9t mod=session cmd=connect ip=209.85.210.182 perlwait=0.085 [2011-10-23 18:06:26.251606 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=env_from value=123@gmail.com qid=p9NG5xMt010615 ip=209.85.210.182 [2011-10-23 18:06:26.405437 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=env_rcpt r=1 value=xxtt@xyz.com verified= routes= [2011-10-23 18:06:26.875486 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=spam cmd=run score=0 spamscore=0 ipscore=0 suspectscore=3 phishscore=0 bulkscore=0 adultscore=0 duration=0.091 [2011-10-23 18:06:26.879828 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=msg module=spf rule=pass action=continue attachments=0 rcpts=1 subject="Hi" spamscore=0 [2011-10-23 18:06:56.927722 +0000] rprt s=10kch03n9t mod=session cmd=disconnect module= rule= action= helo=mail-iy0-f182.google.com msgs=3 rcpts=3 routes= duration=1.119 elapsed=57.43