I am searching through postfix email logs and trying to put all the revevent logs together for each email. I am also setting up the search in a view so that our email admin can just type in the search string and find an email.
The first search I came up with is as follows. This search worked well but was very slow for search of 24 hours or more (we log about 500,000 emails a day).
<row>
<chart>
<title>Number of Messages over Time</title>
<searchTemplate>sourcetype=postfix_syslog | transaction keepevicted=true message_pid | search to=*$Username$* | timechart count by host</searchTemplate>
<option name="charting.chart">column</option>
<option name="charting.primaryAxisTitle.text">Timeline</option>
<option name="charting.secondaryAxisTitle.text">Messages</option>
<option name="charting.legend.placement">right</option>
</chart>
</row>
<row>
<event>
<title>Message Logs</title>
<searchTemplate>sourcetype=postfix_syslog | transaction keepevicted=true message_pid | search to=*$Username$* OR orig_to=*$Username$*</searchTemplate>
<option name="count">20</option>
<option name="showPager">true</option>
</event>
</row>
I then changed the search to the following and it worked a lot faster but now does not display a progress bar. This is causing our email admins to keep clicking thinking it has locked up.
<row>
<chart>
<title>Number of Messages over Time</title>
<searchTemplate>sourcetype=postfix_syslog [ search sourcetype=postfix_syslog *$Username$* | dedup message_pid | fields message_pid ] | transaction keepevicted=true fields=message_pid maxspan=3m maxpause=1m | timechart count by host</searchTemplate>
<option name="charting.chart">column</option>
<option name="charting.primaryAxisTitle.text">Timeline</option>
<option name="charting.secondaryAxisTitle.text">Messages</option>
<option name="charting.legend.placement">right</option>
</chart>
</row>
<row>
<event>
<title>Message Logs</title>
<searchTemplate>sourcetype=postfix_syslog [ search sourcetype=postfix_syslog *$Username$* | dedup message_pid | fields message_pid ] | transaction keepevicted=true fields=message_pid maxspan=3m maxpause=1m</searchTemplate>
<option name="count">20</option>
<option name="showPager">true</option>
</event>
</row>
How do I get a progress bar back for the last search and why did I loose it?
Anyone else working on postfix email logs?
---- Kirk
... View more