I've created two transaction types, one named mail that finds all of the postfix events with the same queueid; and second named spamd that finds all of the spamassassin records for a single email by using the pid and startswith and endswith criteria. I've also extracted a custom field named spamdmessageid that matches the messageid in the postfix events.
The standard flow of email through my system goes through postfix, then gets passed off to spamassassin if not rejected by an RBL, then back to postfix to be delivered to the user.
If I search like this:
sourcetype=syslog | transaction name=mail, I get a list of postfix transactions as I expect. Likewise, if I search like this:
sourcetype=syslog | transaction name=spamd, I get a list of spamassassin transactions.
But I can't figure out how to combine the three transactions that are all related by the messageid and spamdmessageid fields. I've put `eval newmessageid=if(len(messageid)>0,messageid,if(len(spamdmessageid)>0,spamdmessageid,NULL))` before the transactions so that newmessage_id can be a common field between the two transactions, but I can't find any way of combining them.
What can I do to see all of the events from the two different transaction types grouped together by newmessageid?
See if this works for you
sourcetype=syslog name=mail OR name=spamd | eval messageid=coalesce(message_id, spamd_message_id) | eventstats values(pid) as pid by messageid | table _time _raw messageid pid | sort messageid
sourcetype=syslog name=mail OR name=spamd | eval messageid=coalesce(message_id, spamd_message_id) | eventstats last(pid) as pid by messageid | stats list(_raw) as _raw list(_time) as _time by messageid pid
This doesn't work because it's not a field named "name", but a transaction named "mail" or "spamd" that selects the information that I'm interested in. I can't seem to use the OR command to combine two transaction searches into one result. I was hoping that I could use
sourcetype=syslog | transaction name=(mail OR spamd)
at the beginning of my search, but no matter how I structure the query, I keep getting the error that "name" should not be specified more than once.