i have this search
index=syslog source=/var/log/maillog (host=imail3.* OR host=imail4.*) DEFERRED| top to showperc=0 | addcoltotals
that gives me top deferred email domains
log line is like:
2015-04-22T10:33:40.000000-07:00 imail4 postfix/error[16223]: 674E55A8: to=, relay=none, delay=600, delays=600/0.09/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to backns2[10.15.0.104]:25: Connection refused)
For top 10 domains i want to add a column to show me for how long i have only deferred, NOT "status=deferred" will reset that counter for that domain.
... View more