Steve was posting this on my behalf. The "| transaction x keepevicted=true|table _time,from,rcpt,subject,file" portion is NOT the problem.
The query "index=mta_syslog_log CLKPER CA+v91aLeKkW-cLRx67G-ASwtNLAKnWT5xmfSVz4bOe78fgTibg@mail.gmail.com|table message_id"
is just a standin, to return the messageid for further processing. It does, in fact, return the string "CA+v91aLeKkW-cLRx67G-ASwtNLAKnWT5xmfSVz4bOe78fgTibg@mail.gmail.com"
and if I use the remainder of the query, with the messageid plugged-in literally, "index="mta_syslog_log" CA+v91aLeKkW-cLRx67G-ASwtNLAKnWT5xmfSVz4bOe78fgTibg@mail.gmail.com | table x", that returns the proper x values for further processing.
but when I embed the original query into the other one, as follows, I do not get the same x results as above:
"index="mta_syslog_log" [search index=mta_syslog_log CLKPER CA+v91aLeKkW-cLRx67G-ASwtNLAKnWT5xmfSVz4bOe78fgTibg@mail.gmail.com|table message_id] | table x"
Does that make more sense?
Thanks
John McCash
... View more