following best view with courier font 🙂
I need to create a report from QMAIL log.
There will be more then one thread write to the log file so the
Basically they like this, say I have a long event that a incoming mail, delivery to 2 recipients:
delivery_id should be pretty sequential but msg_id have very high chance will be reuse immediate once the mail process finished. Since msg_id is highly likely reuse all the time, so I cannot reverse search from delivery status and ressolve msg_id from delivery_id
Start Event -- msg-id
-------------- msg-id : msg-size from Sender email gp ??? uid ???
Start Deliverty delivery-id : msg msg-id to local/remote recipient
...
Start Deliverty delivery-id : msg msg-id to local/remote recipient
...
delivery delivery-id: success/failure/deferred: deilvery-information
...
END Event ----
...
...
...
delivery
so I use transaction to group msg_id event togehter
search qmailapplog | transaction msg_id startswith=("new msg") endswith=("end msg")
to group msg_id event together
then I have event like the following:
2011-06-03 14:30:32.539477500 new msg 2019703
2011-06-03 14:30:32.539480500 info msg 2019703: bytes 25370 from a@b.com qp 1429 uid 502
2011-06-03 14:30:32.612800500 starting delivery 90228: msg 2019703 to remote b@a.com
2011-06-03 14:30:34.043198500 end msg 2019703
2011-06-03 14:25:57.685624500 new msg 2019703
2011-06-03 14:25:57.685626500 info msg 2019703: bytes 4166 from c@gmail.com qp 1210 uid 511
2011-06-03 14:25:57.750225500 starting delivery 90227: msg 2019703 to remote q@h.com
2011-06-03 14:25:58.028086500 end msg 2019703
2011-06-03 14:25:57.396305500 new msg 2019862
2011-06-03 14:25:57.396307500 info msg 2019862: bytes 4055 from d@gmail.com qp 1198 uid 501
2011-06-03 14:25:57.513558500 starting delivery 90221: msg 2019862 to local a1@b.com
2011-06-03 14:25:57.513563500 starting delivery 90222: msg 2019862 to remote a2@c.com
2011-06-03 14:25:57.513568500 starting delivery 90223: msg 2019862 to local a3@a.com
2011-06-03 14:25:57.513585500 starting delivery 90224: msg 2019862 to remote a4@b.com
2011-06-03 14:25:57.513607500 starting delivery 90225: msg 2019862 to local a5@a.com
2011-06-03 14:25:57.513610500 starting delivery 90226: msg 2019862 to local a6@a.com
2011-06-03 14:25:57.750253500 end msg 2019862
Therefor I will have
msg-id - size - sender ---- recipient - delivery-id
------- : ----- : ------- : --------- -------
2019703 : 25470 : a@b.com : b@a.com : 90228
2019703 : 4166 : c@gmail.com : q@h.com : 90227
2019862 : 4055 : d@gmail.com : a1@b.com : 90221
-------------------------------a2@c.com 90222
-------------------------------a3@c.com 90223
-------------------------------a4@c.com 90224
-------------------------------a5@c.com 90225
-------------------------------a6@c.com 90226
on the other hand, I can have delivery transaction by
sourcetype="qmailapplog" | transaction delivery_id| table delivery_id delivery_status, delivery_info
then i would have something like
90227 success 123.123.102.30_accepted_message./Remote_host_said:250/
Problem is How i could join them together by delivery-id so I can see the incoming mail and all delivery-id's delivery-result
Solved by join with rex a new field. well. 🙂