I can't wrap my head around how to accomplish this, but postfix logs two separate events for one email. The first event contains the from address:
Feb 27 11:30:10 mail postfix/qmgr[8620]: 24C4C681F19: from=jhon@gmail.com, size=8209, nrcpt=1 (queue active)
Feb 27 11:30:11 mail postfix/amavis/smtp[50690]: 24C4C681F19: to=salam@gmail.com, relay=127.0.0.1[127.0.0.1]:10024, delay=2.1, delays=1.2/0.01/0/0.93, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as F3433681F7C)
I want to build a search based on the from address, but do stats on the status (separate counts for deffered, sent, reject etc.). Anyway I could make splunk realize these two events are related?
I need help.
Thanks all