|
Hi All! I have the problem to rebuild transactions from postfix/amavis logs, where the message is processed by a pipeline of different steps/processes and at a certain point, a new processing requests is queued in the pipeline. I have in an event the original "queue_id" and a new "queued_as" id, that in a next event will appear as a new "queue_id". Transactions are already quite complex, because to link the several different events I have to use several fields: from (message sender), queue_id, message_id, thread_id(of amavis logs, correlated by message_id to postfix), and then if in an amavis event I have a queued_as, the value of this field is the value I'll find in some other event in the "queue_id" again. As it doesn't work to have a single transaction, because the queue_id value changes, I thought to create different transactions and the "join" them, with something like "queued_as=queue_id". So I need to correlate events with a "queue_id" with events that have the same "queued_as" value. The idea is something like this: source=aslog NOT noqueue | transaction from, queue_id, queued_as, thread_id, message_id | innerjoin queue_id=queued_as Thanks for help!!! Marco |
|
If queue_id and queued_as don't occur in the same log line, you could use a field alias to map them to the same name (queue_id), and use transaction on that field. |
