topic Re: Can Splunk be used to sort through emails? in Reporting

Can Splunk be used to sort through emails?

marykyeung — Tue, 28 May 2013 20:13:07 GMT

Can emails be sent directly to a Splunk server so it can go through and alert on emails of interest?

Re: Can Splunk be used to sort through emails?

okrabbe_splunk — Wed, 29 May 2013 02:06:06 GMT

You can't send it directly to splunk but I guess you could send it to an account on a server and index the mbox file on the server.

However, I am not sure this is the best technology fit. Usually people use Splunk to monitor everything at the mail server rather than sending messages directly to it to index.

Re: Can Splunk be used to sort through emails?

jtrucks — Thu, 13 Jun 2013 20:29:44 GMT

There are people who have indexed maildir directory trees or individual files using Splunk. Because there are datestamps in the file, it's not too bad at figuring out the timestamp. However, you might have to futz with the header fields to make subject et al. searchable.

Search Splunk-Base for "maildir" to find more examples.

Re: Can Splunk be used to sort through emails?

jpass — Sat, 17 Aug 2013 22:16:35 GMT

If what you are after is a general idea of whether you can index and search larger blocks of text like e-mails, then yes. I have a few hundred thousand emails indexed. But I do it a little differently. I store the data in a database and use a scripted input to format the content in a way that makes it easy to create fields in transforms.conf

edit: I would add, like the commenter above, it's probably not the best tool for this kind of job though.