« Previous Next »

• 10-03-2008, 1:30 PM

  1Fastrider Joined on 10-03-2008, 1:25 PM CA Posts 4

  Help with Exchange tracking logs Reply Contact Been doing some reading but I'm still new to this. I want to parse my exchange logs and count the domain names and return the top 10 sending domains.  All our mail comes through a hosted service so can't use the server IP value.  Here's what I'm using to get the top senders but I only want the domain, not individual addresses: >logparser -i:w3c -o:chart "SELECT TOP 10 [Sender-address], count(*) as Inbound_Domains into chart.gif from '\\server\server.LOG\*.log' GROUP BY [Sender-Address] " -charttype:column3d

• 10-03-2008, 4:25 PM

  In reply to

  KristoferG Joined on 11-03-2004, 5:50 AM Sweden Posts 55

  Re: Help with Exchange tracking logs Reply Contact Hi! Please forgive me, but i don't work with Exchange logs, but from my understanding of your message, Sender-Address gives you name@domain.tld. You want to get "domain.tld" from this field in the log file. Is this correct? If this is correct, then you should look into the EXTRACT_SUFFIX(...) function. If I remember the syntax correctly, your query would be: SELECT TOP 10 EXTRACT_SUFFIX([Sender-Address],0,'@'), count(*) as .... GROUP BY EXTRACT_SUFFIX([Sender-Address],0,'@') ... Kristofer Gafvert http://www.gafvert.info/iis/

• 10-03-2008, 4:52 PM

  In reply to

  1Fastrider Joined on 10-03-2008, 1:25 PM CA Posts 4

  Re: Help with Exchange tracking logs Reply Contact That did the trick.  Thanks very much.  The only thing to figure out is after the domain name in the chart is a small square icon (null character?). Not sure how to remove that but at least the chart looks good so far.  Below is what I ran  logparser -i:w3c -o:chart "SELECT TOP 10 EXTRACT_SUFFIX([Sender-Address],0,'@'), count(*) as Inbound_Domains into chart.gif from '\\servername\servername.LOG\20080925.log' GROUP BY EXTRACT_SUFFIX([Sender-Address],0,'@')" -charttype:column3d

• 10-03-2008, 5:16 PM

  In reply to

  KristoferG Joined on 11-03-2004, 5:50 AM Sweden Posts 55	Re: Help with Exchange tracking logs Reply Contact That is great! As you say, that square icon is probably some kind of character. Once you have figured out what it is, you may remove it by using EXTRACT_SUFFIX, EXTRACT_PREFIX or EXTRACT_TOKEN, depending on whichever is better. Kristofer Gafvert http://www.gafvert.info/iis/

• 10-03-2008, 5:17 PM

  In reply to

  1Fastrider Joined on 10-03-2008, 1:25 PM CA Posts 4	Re: Help with Exchange tracking logs Reply Contact I'll play with it but I should be able to get it. Thank you again.