Finally, the resulting query is executed. Then, the value from this search field is taken as a replacement for the subsearch part of the query. This will return a single event with a field named search and a value like Index=mail sourcetype=qmail_current | fields qmail_msg qmail_delivery | format This works because Splunk applies the format command implicitly on subsearches. With a default Splunk subsearch, the outer search will get all events where every field returned from the subsearch matches. Now, in order to get a complete report including delivery progress, we need to consider all log events that include either the appropriate message id or delivery id. Having done our homework, Splunk extractions are set up in a way that we get the qmail_msg and qmail_delivery fields for this event. Index=mail sourcetype=qmail_current particular, this will find the starting delivery events for this address, like the third log line shown above. Use a subsearch to narrow down relevant eventsįirst, lets start with a simple Splunk search for the recipient address. In order to get a comprehensive Splunk report for a given email address and to make it run in acceptable time, I had to learn about Splunk subsearches and transaction grouping.
That's probably due to the way the qmail architecture uses different processes for isolated tasks. While you get the information that a particular delivery has been started for a given message id, all further information regarding the progress of this delivery is logged only with the delivery id, but does not show the message id again.It will start from scratch if you restart qmail, and so again, this id is not unique over a longer time.
0 kommentar(er)
