leftkit.blogg.se - Splunk transaction timestamps events

Index=mail sourcetype=qmail_current particular, this will find the starting delivery events for this address, like the third log line shown above. Use a subsearch to narrow down relevant eventsįirst, lets start with a simple Splunk search for the recipient address. In order to get a comprehensive Splunk report for a given email address and to make it run in acceptable time, I had to learn about Splunk subsearches and transaction grouping. That's probably due to the way the qmail architecture uses different processes for isolated tasks.

While you get the information that a particular delivery has been started for a given message id, all further information regarding the progress of this delivery is logged only with the delivery id, but does not show the message id again.

It will start from scratch if you restart qmail, and so again, this id is not unique over a longer time. The delivery id is just a counter that increments with every message processed.While being unique at a given time, multiple different mails will use the same message id over time. The message id is based on the Linux filesystem inode id for the mail file sitting in the queue.I am not talking about the funny-looking tai64 timestamps, but rather the message and delivery ids. The problem challenge is that qmail has an interesting way of logging in the current log, which looks like new msg 33778541 info msg 33778541: bytes 7703 from qp 2151 starting delivery 7512293: msg 33778541 to remote delivery 7512293: success: 176.34.178.125_accepted_message./Remote_host_said:_250_OK_id=1evM4J-0005W8-QC/ end msg 33778541 Yes, qmail – it works great when it comes to doing high-volume, outbound-only deliveries in short time. The email in question was part of a larger mail processing job, and we're using qmail to process these mails.

Use a subsearch to narrow down relevant events.