Hi. I have a search question, and I believe the answer involves using transactions.

I have defined two eventtypes: majordomo-from and majordomo-to.

A "majordomo-from" event looks like this:

 Oct 27 10:59:45 lists.somedomain.com postfix/qmgr[7908]: 839A28014A: from=<foo@somedomain.com>, size=2780, nrcpt=1 (queue active)

A "majordomo-to" event looks like this:

 Oct 27 10:59:45 lists.somedomain.com postfix/local[10541]: 839A28014A: to=<somelist@lists.somedomain.com>, relay=local, delay=0.27, delays=0.04/0/0/0.22, dsn=2.0.0, status=sent (delivered to command: /usr/lib/majordomo/wrapper resend -l somelist -h llists.somedomain.com somelist-23901  )

I have defined queue_id (839A28014A) as a field, which is common to both eventtypes.

In a single query, I need to be able to see who sent a message to which mailing list. In the above example, we can see that foo@somedomain.com sent a message to somelist@lists.somedomain.com. The common field between the two events is queue_id. So I tried this query:

 eventtype=majordomo-from OR eventtype=majordomo-to to="somelist@lists.somedomain.com" | transaction queue_id maxspan=2m

This only returns the event with the eventtype of majordomo-to. I understand why; a majordomo-from will never have a the "to" field.

How can I run a search against these majordomo eventtypes with a common queue_id? I've tried various things, including the example above, but I can't seem to get it... Any suggestions would be appreciated. Thanks!