I would like to write a search to give me all log lines relating to a particular bounced email message:

Basically I can monitor for a log line that has "postmaster-mail.sh" in it. That log line also contains the initial Message ID (which doesn't get extracted by default by I created a field called msgID).

I then have to run a series of manual searches to find out all log line.

Basically I search for w010cweA015328, the find the next message ID, which is x000mbnW025320, that will give me the next message ID which is a070yZwR021222.

So my search would end up looking like this:

sourcetype=syslog host="relay" process=sm-mta w010cweA015328 OR x000mbnW025320 OR a070yZwR021222

I then get the following lines, which tell me why the message failed and from which IP it came from.

Jan 7 11:14:57 mailserver sm-mta[00228]: w010cweA015328: to=| postmaster-mail.sh, ctladdr=postmaster (1/0), delay=00:00:01, xdelay=00:00:01, mailer=esta, pri=20001, dsn=2.0.0, stat=Sent
Jan 7 11:14:56 mailserver sm-mta[00228]: x000mbnW025320: w010cweA015328: return to sender: User unknown
Jan 7 11:14:46 mailserver sm-mta[00228]: x000mbnW025320: to=, delay=00:00:05, xdelay=00:00:05, mailer=smtp, pri=10332, relay=[10.140.12.43] [10.140.12.43], dsn=5.1.1, stat=User unknown
Jan 7 11:14:41 mailserver sm-mta[00228]: a070yZwR021222: x000mbnW025320: DSN: User unknown
Jan 7 11:14:41 mailserver sm-mta[00228]: a070yZwR021222: to=,,,,,,,,,,,,,, delay=00:00:30, xdelay=00:00:30, mailer=smtp, pri=0250112, relay=[10.140.12.43] [10.140.12.43], dsn=2.0.0, stat=Sent (<201300020033.a070yZwR021222@mailserver.ken.qt.rae.zg> Queued mail for delivery)
Jan 7 11:14:41 mailserver sm-mta[00228]: a070yZwR021222: to=,,,,,,,,,,,,,,,,,,,,,,,, [more], delay=00:00:30, xdelay=00:00:30, mailer=smtp, pri=0250112, relay=[10.140.12.43] [10.140.12.43], dsn=2.0.0, stat=Sent (<201300020033.a070yZwR021222@mailserver.ken.qt.rae.zg> Queued mail for delivery)
Jan 7 11:14:36 mailserver sm-mta[00228]: a070yZwR021222: to=, delay=00:00:25, xdelay=00:00:25, mailer=smtp, pri=0250112, relay=[10.140.12.43] [10.140.12.43], dsn=5.1.1, stat=User unknown
Jan 7 11:14:31 mailserver sm-mta[00228]: a070yZwR021222: to=, delay=00:00:20, xdelay=00:00:20, mailer=smtp, pri=0250112, relay=[10.140.12.43] [10.140.12.43], dsn=5.1.1, stat=User unknown
Jan 7 11:14:26 mailserver sm-mta[00228]: a070yZwR021222: to=, delay=00:00:15, xdelay=00:00:15, mailer=smtp, pri=0250112, relay=[10.140.12.43] [10.140.12.43], dsn=5.1.1, stat=User unknown
Jan 7 11:14:21 mailserver sm-mta[00228]: a070yZwR021222: to=, delay=00:00:10, xdelay=00:00:10, mailer=smtp, pri=0250112, relay=[10.140.12.43] [10.140.12.43], dsn=5.1.1, stat=User unknown
Jan 7 11:14:16 mailserver sm-mta[00228]: a070yZwR021222: to=, delay=00:00:05, xdelay=00:00:05, mailer=smtp, pri=0250112, relay=[10.140.12.43] [10.140.12.43], dsn=5.1.1, stat=User unknown
Jan 7 11:14:11 mailserver sm-mta[11642]: a070yZwR021222: from=, size=1210, class=0, nrcpts=41, msgid=<201300020033.a070yZwR021222@mailserver.ken.qt.rae.zg>, proto=DEANA, daemon=MTA, relay=guogcagiv01 [10.005.12.107] 

The first message ID will give me the first two line, the second one will give me the next 2 and the third the rest.

I've tried a number of things, but am having problems working it out. My first thought was to use sub searches, so I tried to extract the msg ID, but that did not work (mostly because the msgID if the second line is different to the message ID of the first line).

I would need to run the second search without the msgID= part (ie only the actual value w010cweA015328)

I'm sure there is an easier way, but I can't think of it.

Thanks.