I have created a dashboard that allows me to search my sendmail logs for some component of a mail transaction (e.g. mail from, rcpt to, subject, etc) and uses transaction to find and group all events related to any hits:
index=sendmail host=mail-gw* [ search index=sendmail host=mail-gw* to="someone@example.org" | fields qid ] | transaction qid
It's fairly simple and works for most cases. However, sendmail qid's are case sensitive and there are a number of times where the qid returned matches another qid, only due to case insensitivity. I understand that search, by default treats field key names as case-sensitive and field values as case-insensitive and that most of the time, that is desired. The problem is that whatever is returned from the subsearch is case-sensitive, but the outer search is not case-sensitive. Any efficient way around this?
I apologize if this is a repost of a common question (trust me I know because I searched for hours), but I could not find any solutions that fit this particular situation.
... View more