This works because Splunk applies the format command implicitly on subsearches. With a default Splunk subsearch, the outer search will get all events where every field returned from the subsearch matches. Now, in order to get a complete report including delivery progress, we need to consider all log events that include either the appropriate message id or delivery id.
Having done our homework, Splunk extractions are set up in a way that we get the qmail_msg and qmail_delivery fields for this event. Index=mail sourcetype=qmail_current particular, this will find the starting delivery events for this address, like the third log line shown above. Use a subsearch to narrow down relevant eventsįirst, lets start with a simple Splunk search for the recipient address. In order to get a comprehensive Splunk report for a given email address and to make it run in acceptable time, I had to learn about Splunk subsearches and transaction grouping. That's probably due to the way the qmail architecture uses different processes for isolated tasks.
While you get the information that a particular delivery has been started for a given message id, all further information regarding the progress of this delivery is logged only with the delivery id, but does not show the message id again. 
It will start from scratch if you restart qmail, and so again, this id is not unique over a longer time. The delivery id is just a counter that increments with every message processed.While being unique at a given time, multiple different mails will use the same message id over time.
The message id is based on the Linux filesystem inode id for the mail file sitting in the queue. I am not talking about the funny-looking tai64 timestamps, but rather the message and delivery ids. The problem challenge is that qmail has an interesting way of logging in the current log, which looks like new msg 33778541 info msg 33778541: bytes 7703 from qp 2151 starting delivery 7512293: msg 33778541 to remote delivery 7512293: success: 176.34.178.125_accepted_message./Remote_host_said:_250_OK_id=1evM4J-0005W8-QC/ end msg 33778541 Yes, qmail – it works great when it comes to doing high-volume, outbound-only deliveries in short time. The email in question was part of a larger mail processing job, and we're using qmail to process these mails. Use a subsearch to narrow down relevant events. In the above picture the red boxed area is the result of “countries_gdp.csv” and in the green box it is showing the rawdata set of _internal index. lookup and we appended data of _internal index with lookup file “ countries_gdp.csv“. To know more about the append command click here.Įxample 3: | append lookup:"countries_gdp.csv" This basically does the same as the append command if we replace union with append then also it will generate the same result. Orange marked box is the result of _internal index and green marked is the result of _audit index. index=_internal | chart count by method ) using union command, Where results are merged row wise. Here we as one can see that we merged results from two different indexes ( _internal and _audit ), but we did in a different manner. At last using stats command we have shown the number of events from the both indexes.Įxample 2: index=_internal | chart count by method | union This way you can specify the number of dataset within “” and delimited by comma “,”. Here as you can see that we merged results from two different indexes ( _internal and _audit). (default 300 seconds)Įxample 1: | union, | stats count by index timeout is the maximum amount of time, in seconds, to cache the sub search results. maxout is the maximum number of results returned from sub search. maxtime is the maximum seconds to run the sub search. Subsearch-options – maxtime= maxout= timeout= are optional arguments.ġ. Unnamed dataset – A subsearch is an unnamed dataset. Named dataset – It can be data models, lookups ,saved searches etcĢ. There are two type datasets, It is a required argument.ġ. 
|union ĭataset – Sets of results you want to union are known as dataset. The union command appends events from different dataset.įind below the skeleton of the usage of the command “union” in SPLUNK.This command merges two or more sets of results into one dataset.
0 kommentar(er)
