following best view with courier font 🙂

I need to create a report from QMAIL log. 
There will be more then one thread write to the log file so the 

Basically they like this, say I have a long event that a incoming mail, delivery to 2 recipients:
delivery_id should be pretty sequential but msg_id have very high chance will be reuse immediate once the mail process finished. Since msg_id is highly likely reuse all the time, so I cannot reverse search from delivery status and ressolve msg_id from delivery_id  

Start Event -- msg-id

-------------- msg-id : msg-size from Sender email gp ??? uid ???

Start Deliverty delivery-id : msg msg-id to local/remote recipient

...

Start Deliverty delivery-id : msg msg-id to local/remote recipient

...

delivery delivery-id: success/failure/deferred: deilvery-information

...

END Event ----

...

...

...

delivery : success/failure/deferred:    

so I use transaction to group msg_id event togehter

search qmailapplog | transaction msg_id startswith=("new msg") endswith=("end msg") 

to group msg_id event together

then I have event like the following:

2011-06-03 14:30:32.539477500 new msg 2019703

2011-06-03 14:30:32.539480500 info msg 2019703: bytes 25370 from a@b.com qp 1429 uid 502

2011-06-03 14:30:32.612800500 starting delivery 90228: msg 2019703 to remote b@a.com

2011-06-03 14:30:34.043198500 end msg 2019703

2011-06-03 14:25:57.685624500 new msg 2019703

2011-06-03 14:25:57.685626500 info msg 2019703: bytes 4166 from c@gmail.com qp 1210 uid 511

2011-06-03 14:25:57.750225500 starting delivery 90227: msg 2019703 to remote q@h.com

2011-06-03 14:25:58.028086500 end msg 2019703

2011-06-03 14:25:57.396305500 new msg 2019862

2011-06-03 14:25:57.396307500 info msg 2019862: bytes 4055 from d@gmail.com qp 1198 uid 501

2011-06-03 14:25:57.513558500 starting delivery 90221: msg 2019862 to local a1@b.com

2011-06-03 14:25:57.513563500 starting delivery 90222: msg 2019862 to remote a2@c.com

2011-06-03 14:25:57.513568500 starting delivery 90223: msg 2019862 to local a3@a.com

2011-06-03 14:25:57.513585500 starting delivery 90224: msg 2019862 to remote a4@b.com

2011-06-03 14:25:57.513607500 starting delivery 90225: msg 2019862 to local a5@a.com

2011-06-03 14:25:57.513610500 starting delivery 90226: msg 2019862 to local a6@a.com

2011-06-03 14:25:57.750253500 end msg 2019862

Therefor I will have
msg-id - size - sender ---- recipient - delivery-id
------- : ----- : ------- : --------- -------
2019703 : 25470 : a@b.com : b@a.com : 90228

2019703 : 4166 : c@gmail.com : q@h.com : 90227

2019862 : 4055 : d@gmail.com : a1@b.com : 90221

-------------------------------a2@c.com 90222

-------------------------------a3@c.com 90223

-------------------------------a4@c.com 90224

-------------------------------a5@c.com 90225

-------------------------------a6@c.com 90226

on the other hand, I can have delivery transaction by
sourcetype="qmailapplog" | transaction delivery_id| table delivery_id delivery_status, delivery_info

then i would have something like
90227 success 123.123.102.30_accepted_message./Remote_host_said:250/

Problem is How i could join them together by delivery-id so I can see the incoming mail and all delivery-id's delivery-result