Multi Document Search in the Same Index

ShashikanthKomandoor · August 30, 2020, 6:06pm

Hi Team,

I am pushing the /var/log/maillog to ELK Stack version 6.X

I was able to use the postfix grok filters available in github and create the indices, documents, fields and so and also I am able to see in Kibana too.

I am capturing the header message id in the /var/log/maillog which is being pushed to ELK.

I want to know through ELK searches that the message ids which got successfully sent, deferred and softbounce.

Here I faced the challenge of writing the query of search for the above requirement as the header message id is recorded in /var/log/maillog in one line while the delivery status would be recorded in a different line.

As per my understanding, each record or each line in the log file is called as a document in an Index. Correct me if I am wrong.

So, is there a way that would solve my requirement ? This has become a great challenge from past few days for me.

warkolm · August 31, 2020, 2:03am

Yes, that's correct

Transforming data | Elasticsearch Guide [7.9] | Elastic should be able to do what you want. Basically you want to create an entity-centric index, where the entity is the unique postfix ID.

ShashikanthKomandoor · August 31, 2020, 8:48am

Thank you Warkolm for your immediate response. I am new to this concept of Transforming Data. Let me first study this and come back to you if any queries.

system · September 28, 2020, 8:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.