When searching for email addresses in our sendmail logs, it helps to see the full transaction by using the queue id (qid) field.
Search command:
sourcetype="sendmail_syslog" | transaction fields=qid maxspan=1m maxpause=30s | search [email protected]
Example output:
Apr 16 12:35:55 server1 sendmail[13643]: o3GHZsNn013643: from=<[email protected]>, size=1126, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=mail.example.com [192.168.1.1]
Apr 16 12:35:56 server1 sendmail[13656]: o3GHZsNn013643: to=<[email protected]>, delay=00:00:01, xdelay=00:00:00, mailer=smtp, pri=121126, relay=mail.example.com [192.168.1.1], dsn=2.0.0, stat=Sent (Ok: queued as 2DA7D50210)
Fields:
host=server1 | sourcetype=sendmail_syslog | source=/var/log/maillog | to=<[email protected]> | from=<[email protected]> | relay=[192.168.1.1] | relay=mail.example.com | size=1126 | delay=00:00:01 | process=sendmail | qid=o3GHZsNn013643
Currently transactions take a long time to process, especially if I am looking at an entire days worth of email records to search for one email address. Can someone show me which search options would allow me to search for the email address first then pass the qid results list to a new search and run a transaction against that. sourcetype="sendmail_syslog" [email protected] | fields qid …?
I have looked at this question already: "http://answers.splunk.com/questions/284/subsearch-like-correlated-subquery-in-sql", but it still does not provide a clear answer. Do I use a subsearch or use the map command and how would I use it in this example?
sourcetype=sendmail_syslog [ search sourcetype="sendmail_syslog" [email protected] | dedup qid | fields qid ] | transaction fields=qid maxspan=1m maxpause=30s
should do it better
The searchtxn was created for this exact use case. It also does the transitive closure when you have multiple fields involved and not just one. To do that yourself you'd need to have a subsearch of a subsearch, etc.
| searchtxn email to=[email protected]
sourcetype=sendmail_syslog [ search sourcetype="sendmail_syslog" [email protected] | dedup qid | fields qid ] | transaction fields=qid maxspan=1m maxpause=30s
should do it better
This works great. Thanks.