Hi there,
Because of some product limitations on a SMTP server, I need to desactivate snmp polling but I have to keep an eye on the mail queue growth.
The server is sending real time logs to splunk via syslog and I already identified fields to find out if a mail has just been queued, or if it has been delivered from queue.
My problem is what I get is the current value, and not the sum of the queue size.
Is there a way to add the new value with previous result (by minute) and graph it in a timechart to get a representative view of the queue size ?
secondarily, I cant get to substract the out value from the IN, here's my code:
| eval queuein=case(stat == "Deferred:", "FILL IN")
| eval queueout=case(stat == "Sent", "FILL OUT")
| eval queue=queuein-queueout
If anyone could help me with that, I'd really appreciate.
Regards,
Romain.
... View more