Hi horst.poehlmann,
look at your events in reverse order, so your first event is this one:
Jan 7 11:14:11 mailserver sm-mta[11642]: a070yZwR021222: from=, size=1210, class=0, nrcpts=41, msgid=<
[email protected]>, proto=DEANA, daemon=MTA, relay=guogcagiv01 [10.005.12.107]
Assuming your msgID would now be msgID=a070yZwR021222 and all the sendmail transaction related to this msgID will not be longer as one minute, you can try to run a transaction on the events like this:
sourcetype=syslog host="relay" process=sm-mta | transaction "msgID", "to" startswith="from=" endswith="postmaster-mail.sh" maxspan=1min
This will use the fields msgID and to to build a transaction starting with events containing the string from= and ending with events containing postmaster-mail.sh which does not take longer as one minute.
Maybe you need to adapt some options, but it should give you something to start with.
cheers, MuS
... View more