We need to pick the message id from the start event and also include all events that have this message id and occur before the end event.Īdditionally, the delivery id makes up the transaction. As you can see from the log excerpt above, qmail transactions start with new msg and end with end msg. You can then use the transaction command to group events. This search fetches all log events that either have a message id or a delivery id for any message or delivery ids that appears in context with the recipient address. Let's do this and directly combine it with a subsearch: You can, in fact, put the format command in your subsearch yourself and use parameters to modify the resulting string. Finally, the resulting query is executed. Then, the value from this search field is taken as a replacement for the subsearch part of the query. This will return a single event with a field named search and a value like Index=mail sourcetype=qmail_current | fields qmail_msg qmail_delivery | format This works because Splunk applies the format command implicitly on subsearches. With a default Splunk subsearch, the outer search will get all events where every field returned from the subsearch matches. Now, in order to get a complete report including delivery progress, we need to consider all log events that include either the appropriate message id or delivery id. Having done our homework, Splunk extractions are set up in a way that we get the qmail_msg and qmail_delivery fields for this event. Index=mail sourcetype=qmail_current particular, this will find the starting delivery events for this address, like the third log line shown above. Use a subsearch to narrow down relevant eventsįirst, lets start with a simple Splunk search for the recipient address. In order to get a comprehensive Splunk report for a given email address and to make it run in acceptable time, I had to learn about Splunk subsearches and transaction grouping. That's probably due to the way the qmail architecture uses different processes for isolated tasks.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |