I want to search for following transaction:
Logfile1:
20081104 23:55:17 6E/28-07006-952A0194 ECINFO Age=16011.896113 Retry=0 Spam=
20081104 23:55:17 6E/28-07006-952A0194 RELAY Originator=<test@test.com> Size=1459 NextHop=192.168.1.10 IP=172.21.1.72 Response='250 <48F795F000627964@bla.bla> Mail accepted'
Logfile2:
20081108 00:00:40 48F795F000627964 DELIVER VOLUME=1388 MAILBOX=blabla@test.com
20081108 00:00:40 48F795F000627964 DELIVER Subject=Join community of upsized dudes
20081108 00:00:40 48F795F000627964 DELIVER Relay=195.186.18.32
20081108 00:00:40 48F795F000627964 DELIVER Content-Type=multipart/mixed;
20081108 00:00:40 48F795F000627964 DELIVER X-Priority=unknown
Logfile1 contains the messageid 6E/28-07006-952A0194. The message will be passed to host2 and a new messageid will be assigned "48F795F000627964"
You can see the link in the second line of the first logfile.
I have extracted both primary messageids from both event, plus the event from the first logfiles second line.
The transaction command does return a transaction, but it misses the first line of the first logfile... Which I think, because the link between both logfiles comes later...
How can I get a complete transaction out of it?
My search looks like this:
host="localhost" |transaction fields=messageid maxspan=10d maxpause=10d
