https://community.splunk.com/t5/Getting-Data-In/Postfix-logs-format/m-p/324532#M93256 <P>I have sent a mail. And mail server gives me logs like these.</P> <P>Feb 27 11:30:11 mail postfix/qmgr[8620]: 24C4C681F19: <STRONG>from=<A href="mailto:kalam@example.com">kalam@example.com</A></STRONG>, size=8814, nrcpt=1 (queue active)<BR /> Feb 27 11:30:11 mail postfix/amavis/smtp[50690]: 24C4C681F19: <STRONG>to=<A href="mailto:salam@example.com">salam@example.com</A></STRONG>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.1, delays=1.2/0.01/0/0.93, dsn=2.0.0, <STRONG>status=sent</STRONG> (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as F3433681F7C)</P> <P>I want to build a search based on the from address, but do stats on the status (separate counts for deffered, sent, reject etc.). Anyway I could make splunk realize these two events are related?</P> Wed, 28 Feb 2018 04:46:36 GMT abusayeed 2018-02-28T04:46:36Z https://community.splunk.com/t5/Getting-Data-In/Postfix-logs-format/m-p/324532#M93256 <P>I have sent a mail. And mail server gives me logs like these.</P> <P>Feb 27 11:30:11 mail postfix/qmgr[8620]: 24C4C681F19: <STRONG>from=<A href="mailto:kalam@example.com">kalam@example.com</A></STRONG>, size=8814, nrcpt=1 (queue active)<BR /> Feb 27 11:30:11 mail postfix/amavis/smtp[50690]: 24C4C681F19: <STRONG>to=<A href="mailto:salam@example.com">salam@example.com</A></STRONG>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.1, delays=1.2/0.01/0/0.93, dsn=2.0.0, <STRONG>status=sent</STRONG> (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as F3433681F7C)</P> <P>I want to build a search based on the from address, but do stats on the status (separate counts for deffered, sent, reject etc.). Anyway I could make splunk realize these two events are related?</P> Wed, 28 Feb 2018 04:46:36 GMT https://community.splunk.com/t5/Getting-Data-In/Postfix-logs-format/m-p/324532#M93256 abusayeed 2018-02-28T04:46:36Z https://community.splunk.com/t5/Getting-Data-In/Postfix-logs-format/m-p/324533#M93257 <P>Hi,</P> <P>This is answer will help you:<BR /> <A href="https://answers.splunk.com/answers/40922/postfix-logs.html">https://answers.splunk.com/answers/40922/postfix-logs.html</A></P> Thu, 01 Mar 2018 10:24:22 GMT https://community.splunk.com/t5/Getting-Data-In/Postfix-logs-format/m-p/324533#M93257 p_gurav 2018-03-01T10:24:22Z