This search fetches all log events that either have a message id or a delivery id for any message or delivery ids that appears in context with the recipient address. Let's do this and directly combine it with a subsearch: You can, in fact, put the format command in your subsearch yourself and use parameters to modify the resulting string. Finally, the resulting query is executed. Then, the value from this search field is taken as a replacement for the subsearch part of the query. This will return a single event with a field named search and a value like Index=mail sourcetype=qmail_current | fields qmail_msg qmail_delivery | format This works because Splunk applies the format command implicitly on subsearches. With a default Splunk subsearch, the outer search will get all events where every field returned from the subsearch matches. Now, in order to get a complete report including delivery progress, we need to consider all log events that include either the appropriate message id or delivery id. Having done our homework, Splunk extractions are set up in a way that we get the qmail_msg and qmail_delivery fields for this event. Index=mail sourcetype=qmail_current particular, this will find the starting delivery events for this address, like the third log line shown above. Use a subsearch to narrow down relevant eventsįirst, lets start with a simple Splunk search for the recipient address. In order to get a comprehensive Splunk report for a given email address and to make it run in acceptable time, I had to learn about Splunk subsearches and transaction grouping. That's probably due to the way the qmail architecture uses different processes for isolated tasks. While you get the information that a particular delivery has been started for a given message id, all further information regarding the progress of this delivery is logged only with the delivery id, but does not show the message id again.It will start from scratch if you restart qmail, and so again, this id is not unique over a longer time. The delivery id is just a counter that increments with every message processed.While being unique at a given time, multiple different mails will use the same message id over time. The message id is based on the Linux filesystem inode id for the mail file sitting in the queue.I am not talking about the funny-looking tai64 timestamps, but rather the message and delivery ids. The problem challenge is that qmail has an interesting way of logging in the current log, which looks like new msg 33778541 info msg 33778541: bytes 7703 from qp 2151 starting delivery 7512293: msg 33778541 to remote delivery 7512293: success: 176.34.178.125_accepted_message./Remote_host_said:_250_OK_id=1evM4J-0005W8-QC/ end msg 33778541 Yes, qmail – it works great when it comes to doing high-volume, outbound-only deliveries in short time. The email in question was part of a larger mail processing job, and we're using qmail to process these mails. Use a subsearch to narrow down relevant events.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |