What does your data look like?

i have this search

index=syslog source=/var/log/maillog (host=imail3.* OR host=imail4.*) DEFERRED| top to showperc=0 | addcoltotals

that gives me top deferred email domains

log line is like:

2015-04-22T10:33:40.000000-07:00 imail4 postfix/error[16223]: 674E55A8: to=, relay=none, delay=600, delays=600/0.09/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to backns2[10.15.0.104]:25: Connection refused)

For top 10 domains i want to add a column to show me for how long i have only deferred, NOT "status=deferred" will reset that counter for that domain.

So you're saying that there are events in your data that look like

time0 foo deferred
time1 foo deferred

and then eventually

timeX foo status=deferred

and what you want to know is (timeX-time0)?

what i want is (timeX - time of last NOT "status=deferred") per email addresses in the above top, as a column

Hi,

Can you try using transaction command. You can use startswith and endswith to define the transaction limit. Once the proper transaction is identified i.e. set of events which has email which was deffered and then events which has email not deffered, you can extract the time by using multivalue commands.

Thanks!!

Hi,

Is this working for you?

Thanks!!