Hello, thanks for your advice. i'm newbie to Splunk and doesn't aware of appendpipe. From your post and document, seems i can break up searches like following. Did i interpret it correctly?
...| appendpipe [search part 1] |appendpipe [search part2]| ... | appendpipe [search part N ] | stat ..
Will try it out.
Anyway, this method assumes the input is broken up into parts. While mail transaction composes of multiple log entries. Breaking up the log files into parts (e.g. by no. of lines, date/time, etc.) may make log of same transaction logs span across multiple files and thus can't get the complete transaction information, especially on a busy mail server. I've to think about some good ways to split the file to avoid this ...
Thanks a lot.
... View more