Splunk Search

link 2 search together by in multivalue field

keiichilam
Explorer

following best view with courier font 🙂

I need to create a report from QMAIL log. 
There will be more then one thread write to the log file so the 

Basically they like this, say I have a long event that a incoming mail, delivery to 2 recipients:
delivery_id should be pretty sequential but msg_id have very high chance will be reuse immediate once the mail process finished. Since msg_id is highly likely reuse all the time, so I cannot reverse search from delivery status and ressolve msg_id from delivery_id  

Start Event -- msg-id

-------------- msg-id : msg-size from Sender email gp ??? uid ???

Start Deliverty delivery-id : msg msg-id to local/remote recipient

...

Start Deliverty delivery-id : msg msg-id to local/remote recipient

...

delivery delivery-id: success/failure/deferred: deilvery-information

...

END Event ----

...

...

...

delivery : success/failure/deferred:    

so I use transaction to group msg_id event togehter

search qmailapplog | transaction msg_id startswith=("new msg") endswith=("end msg") 

to group msg_id event together

then I have event like the following:

2011-06-03 14:30:32.539477500 new msg 2019703

2011-06-03 14:30:32.539480500 info msg 2019703: bytes 25370 from a@b.com qp 1429 uid 502

2011-06-03 14:30:32.612800500 starting delivery 90228: msg 2019703 to remote b@a.com

2011-06-03 14:30:34.043198500 end msg 2019703

2011-06-03 14:25:57.685624500 new msg 2019703

2011-06-03 14:25:57.685626500 info msg 2019703: bytes 4166 from c@gmail.com qp 1210 uid 511

2011-06-03 14:25:57.750225500 starting delivery 90227: msg 2019703 to remote q@h.com

2011-06-03 14:25:58.028086500 end msg 2019703

2011-06-03 14:25:57.396305500 new msg 2019862

2011-06-03 14:25:57.396307500 info msg 2019862: bytes 4055 from d@gmail.com qp 1198 uid 501

2011-06-03 14:25:57.513558500 starting delivery 90221: msg 2019862 to local a1@b.com

2011-06-03 14:25:57.513563500 starting delivery 90222: msg 2019862 to remote a2@c.com

2011-06-03 14:25:57.513568500 starting delivery 90223: msg 2019862 to local a3@a.com

2011-06-03 14:25:57.513585500 starting delivery 90224: msg 2019862 to remote a4@b.com

2011-06-03 14:25:57.513607500 starting delivery 90225: msg 2019862 to local a5@a.com

2011-06-03 14:25:57.513610500 starting delivery 90226: msg 2019862 to local a6@a.com

2011-06-03 14:25:57.750253500 end msg 2019862

Therefor I will have
msg-id - size - sender ---- recipient - delivery-id
------- : ----- : ------- : --------- -------
2019703 : 25470 : a@b.com : b@a.com : 90228

2019703 : 4166 : c@gmail.com : q@h.com : 90227

2019862 : 4055 : d@gmail.com : a1@b.com : 90221

-------------------------------a2@c.com 90222

-------------------------------a3@c.com 90223

-------------------------------a4@c.com 90224

-------------------------------a5@c.com 90225

-------------------------------a6@c.com 90226

on the other hand, I can have delivery transaction by
sourcetype="qmailapplog" | transaction delivery_id| table delivery_id delivery_status, delivery_info

then i would have something like
90227 success 123.123.102.30_accepted_message./Remote_host_said:250/

Problem is How i could join them together by delivery-id so I can see the incoming mail and all delivery-id's delivery-result

Tags (2)
0 Karma

keiichilam
Explorer

Solved by join with rex a new field. well. 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...