When searching for email addresses in our sendmail logs, it helps to see the full transaction by using the queue id (qid) field.
sourcetype="sendmail_syslog" | transaction fields=qid maxspan=1m maxpause=30s | search firstname.lastname@example.org
Apr 16 12:35:55 server1 sendmail: o3GHZsNn013643: from=<email@example.com>, size=1126, class=0, nrcpts=1, msgid=<firstname.lastname@example.org>, proto=ESMTP, daemon=MTA, relay=mail.example.com [192.168.1.1] Apr 16 12:35:56 server1 sendmail: o3GHZsNn013643: to=<email@example.com>, delay=00:00:01, xdelay=00:00:00, mailer=smtp, pri=121126, relay=mail.example.com [192.168.1.1], dsn=2.0.0, stat=Sent (Ok: queued as 2DA7D50210)
host=server1 | sourcetype=sendmail_syslog | source=/var/log/maillog | to=<firstname.lastname@example.org> | from=<email@example.com> | relay=[192.168.1.1] | relay=mail.example.com | size=1126 | delay=00:00:01 | process=sendmail | qid=o3GHZsNn013643
Currently transactions take a long time to process, especially if I am looking at an entire days worth of email records to search for one email address. Can someone show me which search options would allow me to search for the email address first then pass the qid results list to a new search and run a transaction against that. sourcetype="sendmail_syslog" firstname.lastname@example.org | fields qid …?
I have looked at this question already: "http://answers.splunk.com/questions/284/subsearch-like-correlated-subquery-in-sql", but it still does not provide a clear answer. Do I use a subsearch or use the map command and how would I use it in this example?
sourcetype=sendmail_syslog [ search sourcetype="sendmail_syslog" email@example.com | dedup qid | fields qid ] | transaction fields=qid maxspan=1m maxpause=30s
should do it better
The searchtxn was created for this exact use case. It also does the transitive closure when you have multiple fields involved and not just one. To do that yourself you'd need to have a subsearch of a subsearch, etc.
| searchtxn email firstname.lastname@example.org