About chutz

chutz · ‎08-16-2020

Using `transaction` to trace email delivery through a chain of postfix relays, and I end up with a transaction where each relay reported a `status=`. In the normal case all of these are `status=sent` but now and then I see `status=bounced` or `status=deferred`. How do I search for the non-success `status` when there are multiple success ones and only one non-success. If I add `| search NOT status=sent` to the search, nothing gets matched because there is almost always a `status=sent`. Sadly, `| search status != sent` seems to behave the same way. I could list all the other possible values so I can have `| search status=bounced OR status=deferred` but this not what I am looking for.

chutz · ‎04-25-2020

We pass messages with rsyslog using the rfc3339 time format. It has microseconds, and it has a timestamp. But noticed a few issues: The time zone is not parsed out of the message. If I remove the microseconds from the timestamp, it would work fine. The host does not get parsed out. Seems to be a problem with the syslog-host transform which does not like the timezone. Dropping the timezone fixes this problem but I would rather keep it. What would be the best way to proceed? Modify the syslog source type? Create a new source type? Report the issue and hope for a fix?

chutz · ‎07-10-2019

First link has been moved to https://docs.splunk.com/Documentation/Splunk/latest/Indexer/RemovedatafromSplunk

Posts	3
Solutions	0
Karma Given	3
Karma Received	1
Member Since	‎04-19-2011

Online Status	Offline
Date Last Visited	‎12-10-2023 01:31 PM

Search for a field which is NOT success from multi...

How to modify syslog source type to handle rfc3339...

Search for a field which is NOT success from multi...

How to modify syslog source type to handle rfc3339...

Re: how to delete old date from splunk