I can't wrap my head around how to accomplish this, but postfix logs two separate events for one email. The first event contains the from address:
Feb 17 06:01:44 hostname postfix/qmgr[1544]: DE82B40611: from=<email@domain.com>, size=288, nrcpt=1 (queue active)
The second event contains the to address, status and other goodies:
Feb 17 06:01:45 hostname postfix/smtp[17553]: DE82B40611: to=<email@domain.com>, relay=mx.domain.com[123.123.12.123]:25, delay=30, delays=29/0/0.12/0.27, dsn=2.6.0, status=sent (250 2.6.0 <b36c397a-023f-428b-bd5a-f88c7e80d2a7@mx.domain.com> Queued mail for delivery)
I want to build a search based on the from address, but do stats on the status (separate counts for deffered, sent, reject etc.). Anyway I could make splunk realize these two events are related?
... View more