Hmmm, didn't realize that the ID was missing at times. However, you cannot
count the fields in the other direction because of the possibility of
multiple "To" e-mail addresses on the line. Chuck, try this modified script
and see if it will work better for you.
grep "From:" spam\dec1119.log | cut -d ":" -f 6 | tr -d "ID" | usort |
uniq -c | usort
Bill
----- Original Message -----
From: "Chuck Cahill" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 20, 2003 2:05 PM
Subject: Re[2]: [Declude.JunkMail] Parse Log File
> It kinda works if you use sort instead of usort. But beware, it's not
quite
> accurate.
>
> Grep will break it down to records in which have the From: line in
> it. When Gawk executes, it will respond with the 2nd to the last field,
> which is fine unless your log is like mine. Sometimes "ID: will have an
> entry, sometimes it won't which throws off the field numbering.
>
>
> Chuck Cahill
> YFCS, Inc
>
> At 04:52 PM 11/20/2003 -0500, you wrote:
> >ya, i'm getting the same error:
> >
> >R:\decludelogs\spam>grep "From:" dec1119.log | gawk "{print $(NF-2)}" |
> >usort | uniq -c | usort
> >'usort' is not recognized as an internal or external command,
> >operable program or batch file.
> >
> >has any one got this to work?
> >
> >
> >
> >
> >Thursday, November 20, 2003, 2:56:49 PM, you wrote:
> >
> >JS> I'm not very good with these unix tools in general, but my set of
unxutils
> >JS> doesn't include usort, and if I try using sort instead, I get a
steady
> >JS> stream of errors from gawk.
> >
> >JS> -----Original Message-----
> >JS> From: [EMAIL PROTECTED]
> >JS> [mailto:[EMAIL PROTECTED] Behalf Of Bill Landry
> >JS> Sent: Thursday, 20 November 2003 12:00 PM
> >JS> To: [EMAIL PROTECTED]
> >JS> Subject: Re: [Declude.JunkMail] Parse Log File
> >
> >
> >JS> If you have the Win32 UNIX tool (if not, you can get them at:
> >JS> http://unxutils.sourceforge.net/), you can run the following script:
> >
> >JS> grep "From:" spam\dec1119.log | gawk "{print $(NF-2)}" | usort |
uniq -c |
> >JS> usort
> >
> >JS> which will produce output like:
> >
> >JS> 86 38.113.200.29
> >JS> 88 38.113.200.28
> >JS> 94 207.244.68.34
> >JS> 95 66.111.231.82
> >JS> 98 205.157.110.11
> >JS> 100 66.111.231.76
> >JS> 106 66.35.250.206
> >JS> 113 64.253.207.50
> >JS> 125 65.168.38.245
> >JS> 126 209.239.38.196
> >
> >JS> with the count in the first column followed by the IP address. If
you
> >want
> >JS> the IP address only, remove the "-c" from the script above.
> >
> >JS> Bill
> >JS> ----- Original Message -----
> >JS> From: "Chuck Cahill" <[EMAIL PROTECTED]>
> >JS> To: <[EMAIL PROTECTED]>
> >JS> Sent: Thursday, November 20, 2003 8:18 AM
> >JS> Subject: [Declude.JunkMail] Parse Log File
> >
> >
> > >> I'm hoping someone can point me in the right direction. I'm looking
for a
> > >> way to parse the IP Address out of the Spam Log file, DecMMDD.log.
Then,
> >JS> I
> > >> would like to tally the amount of messages received from each unique
IP
> > >> address.
> > >>
> > >> I'm using the option "LOG_OK NONE" in the config file so only those
> > >> messages marked as spam should have their IP addresses in the log
file
> > >>
> > >> By getting this information I can place the largest violators IP
address
> > >> into IMail's Control file to offset some of the overhead with
processing
> > >> messages.
> > >>
> > >> Anyone have something like this in place? Does this sound logical or
> >JS> flawed?
> > >>
> > >> Thanks
> > >> Chuck Cahill
> > >>
> > >>
> > >>
> > >> ********************************
> > >> Visit us at www.yfcs.com
> > >> ********************************
> > >> ---
> > >> [This E-mail was scanned for viruses by Declude Virus
> >JS> (http://www.declude.com)]
> > >>
> > >> ---
> > >> This E-mail came from the Declude.JunkMail mailing list. To
> > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > >> type "unsubscribe Declude.JunkMail". The archives can be found
> > >> at http://www.mail-archive.com.
> > >>
> >
> >JS> ---
> >JS> [This E-mail was scanned for viruses by Declude Virus
> >JS> (http://www.declude.com)]
> >
> >JS> ---
> >JS> This E-mail came from the Declude.JunkMail mailing list. To
> >JS> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >JS> type "unsubscribe Declude.JunkMail". The archives can be found
> >JS> at http://www.mail-archive.com.
> >
> >JS> ---
> >JS> [This E-mail was scanned for viruses by Declude Virus
> >(http://www.declude.com)]
> >
> >JS> ---
> >JS> This E-mail came from the Declude.JunkMail mailing list. To
> >JS> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >JS> type "unsubscribe Declude.JunkMail". The archives can be found
> >JS> at http://www.mail-archive.com.
> >JS> ---
> >JS> [This E-mail scanned for viruses by Declude Virus]
> >
> >
> >
> >
> >--
> >Best regards,
> > Administration
mailto:[EMAIL PROTECTED]
> >
> >---
> >[This E-mail scanned for viruses by Declude Virus]
> >
> >---
> >[This E-mail was scanned for viruses by Declude Virus
> >(http://www.declude.com)]
> >
> >---
> >This E-mail came from the Declude.JunkMail mailing list. To
> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >type "unsubscribe Declude.JunkMail". The archives can be found
> >at http://www.mail-archive.com.
>
>
> ********************************
> Visit us at www.yfcs.com
> ********************************
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail". The archives can be found
> at http://www.mail-archive.com.
>
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
