I have a file that have entries like this among other lines
Feb 16 17:30:18 ns1 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<accountin@myserver.com>, method=PLAIN, rip=200.250.9.210, lip=10.10.10.10, session=<Sed519rVnADI+gnS>
Every time one line like this is found, I want to extract the IPs associated on the rip part but I want to extract IPs that shows at least 3 times.
I am trying to use grep to do this.
This is the grep I have
more /var/log/maillog-20130217 | grep "auth failed" | grep -o '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4
][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)'
this grep shows all IPs that are in the matching lines
How do I limit this grep to just show IPs if I have at least 3 matching lines with that IP and just unique IPs?
I mean this. Suppose my log has this
Feb 16 17:30:18 ns1 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<accountin@myserver.com>, method=PLAIN, rip=200.250.9.210, lip=10.10.10.10, session=<Sed519rVnADI+gnS>
Feb 16 17:30:18 ns1 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<accountin@myserver.com>, method=PLAIN, rip=200.250.9.210, lip=10.10.10.10, session=<Sed519rVnADI+gnS>
Feb 16 17:30:18 ns1 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<accountin@myserver.com>, method=PLAIN, rip=20.20.20.20, lip=10.10.10.10, session=<Sed519rVnADI+gnS>
Feb 16 17:30:18 ns1 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<accountin@myserver.com>, method=PLAIN, rip=200.250.9.210, lip=10.10.10.10, session=<Sed519rVnADI+gnS>
I would like to use grep and obtain 200.250.9.210 because I have 3 lines there with this IP, but not 20.20.20.20 that appears just one time.
What I have when I run my grep I have is this
200.250.9.210
200.250.9.210
20.20.20.20
200.250.9.210
or in other words, it is listing all IPs that are in matching lines.
thanks.
Best Answer
Would give you the matching IP addresses with their number of occurrence sorted by number of occurrence.