Thanks!
The data in question are postfix logs:
Aug 8 07:32:49 localhost Aug 8 07:32:49 postfix/smtp[64151]: 5860A98052B: to=xxxx@domain.com, relay=relay[x.x.x.x]:25, conn_use=13, delay=0.75, delays=0.49/0/0.01/0.25, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as B720D58C6B1)
My query contains the following:
rex field=delays "(? .)\/(? . )\/(? .)\/(? . )" | eval delay_test = delayb + delayc + delayd | timechart span="1m" max(delay_test) by host useother=f usenull=f
So the value I need to be evaluated is delay_test if it is null for any duration of time
... View more