I'm very new to Splunk and need to get some details about a transaction which spans multiple events. Am trying to get my head around how transaction works or if this can even be done without using transaction.
Sample logs:
Feb 18 21:45:15 smtp2 sm-mta[9562]: l1J3iwHw009562: to=, delay=00:00:17, pri=14653393, stat=Message exceeds maximum fixed size (8000000)
Feb 18 21:45:15 smtp2 sm-mta[9562]: l1J3iwHw009562: message size (14623393) exceeds maximum (8000000)
Feb 18 21:45:15 smtp2 sm-mta[9562]: l1J3iwHw009562: from=, size=14623393, class=0, nrcpts=1, msgid=64db010c0702181944g15241075qf40af0a1cb398e30@mail.example.com, proto=ESMTP, daemon=MTA, relay=wr-out-0506.example.com [64.233.184.225]
Flow of what needs to be achieved:
1. Search for an event where stat!=Sent.
2. Search for all other (2) events with the same qid (l1J3iwHw009562).
3. Extract other information from the transaction such as msgid, size, from, to
I have tried a variety of different things but really think this should return what I want, but it does not.
index=maildata | transaction qid startswith="stat!=Sent" endswith="msgid=*"
Thanks in advance
... View more