Grep will break it down to records in which have the From: line in it. When Gawk executes, it will respond with the 2nd to the last field, which is fine unless your log is like mine. Sometimes "ID: will have an entry, sometimes it won't which throws off the field numbering.
Chuck Cahill YFCS, Inc
At 04:52 PM 11/20/2003 -0500, you wrote:
ya, i'm getting the same error:
R:\decludelogs\spam>grep "From:" dec1119.log | gawk "{print $(NF-2)}" | usort | uniq -c | usort
'usort' is not recognized as an internal or external command,
operable program or batch file.
has any one got this to work?
Thursday, November 20, 2003, 2:56:49 PM, you wrote:
JS> I'm not very good with these unix tools in general, but my set of unxutils JS> doesn't include usort, and if I try using sort instead, I get a steady JS> stream of errors from gawk.
JS> -----Original Message----- JS> From: [EMAIL PROTECTED] JS> [mailto:[EMAIL PROTECTED] Behalf Of Bill Landry JS> Sent: Thursday, 20 November 2003 12:00 PM JS> To: [EMAIL PROTECTED] JS> Subject: Re: [Declude.JunkMail] Parse Log File
JS> If you have the Win32 UNIX tool (if not, you can get them at: JS> http://unxutils.sourceforge.net/), you can run the following script:
JS> grep "From:" spam\dec1119.log | gawk "{print $(NF-2)}" | usort | uniq -c | JS> usort
JS> which will produce output like:
JS> 86 38.113.200.29 JS> 88 38.113.200.28 JS> 94 207.244.68.34 JS> 95 66.111.231.82 JS> 98 205.157.110.11 JS> 100 66.111.231.76 JS> 106 66.35.250.206 JS> 113 64.253.207.50 JS> 125 65.168.38.245 JS> 126 209.239.38.196
JS> with the count in the first column followed by the IP address. If you want
JS> the IP address only, remove the "-c" from the script above.
JS> Bill JS> ----- Original Message ----- JS> From: "Chuck Cahill" <[EMAIL PROTECTED]> JS> To: <[EMAIL PROTECTED]> JS> Sent: Thursday, November 20, 2003 8:18 AM JS> Subject: [Declude.JunkMail] Parse Log File
>> I'm hoping someone can point me in the right direction. I'm looking for a >> way to parse the IP Address out of the Spam Log file, DecMMDD.log. Then, JS> I >> would like to tally the amount of messages received from each unique IP >> address. >> >> I'm using the option "LOG_OK NONE" in the config file so only those >> messages marked as spam should have their IP addresses in the log file >> >> By getting this information I can place the largest violators IP address >> into IMail's Control file to offset some of the overhead with processing >> messages. >> >> Anyone have something like this in place? Does this sound logical or JS> flawed? >> >> Thanks >> Chuck Cahill >> >> >> >> ******************************** >> Visit us at www.yfcs.com >> ******************************** >> --- >> [This E-mail was scanned for viruses by Declude Virus JS> (http://www.declude.com)] >> >> --- >> This E-mail came from the Declude.JunkMail mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.JunkMail". The archives can be found >> at http://www.mail-archive.com. >>
JS> --- JS> [This E-mail was scanned for viruses by Declude Virus JS> (http://www.declude.com)]
JS> --- JS> This E-mail came from the Declude.JunkMail mailing list. To JS> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and JS> type "unsubscribe Declude.JunkMail". The archives can be found JS> at http://www.mail-archive.com.
JS> ---
JS> [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
JS> --- JS> This E-mail came from the Declude.JunkMail mailing list. To JS> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and JS> type "unsubscribe Declude.JunkMail". The archives can be found JS> at http://www.mail-archive.com. JS> --- JS> [This E-mail scanned for viruses by Declude Virus]
-- Best regards, Administration mailto:[EMAIL PROTECTED]
--- [This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
******************************** Visit us at www.yfcs.com ******************************** --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
