All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can someone explain how splunk stream can be used to get email headers

schandrasekar
Loves-to-Learn
‎08-04-2020 08:50 PM

The goal is to find the delay between the time sender sents the mail and recipient receive the mail , if the delay is more than 10 mins then alert

Options tried:

Message tracking logs C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking in exchange server2010. But the logs didn provide the actual time when the user sent the email, also the original IP of the sender is replaced with LB/Exchange server/relay server/firewall.

So now I looking for other options. One of them is using Splunk stream. 

Please provide your suggestions.

Labels (2)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-04-2020 09:02 PM

In the message tracking logs, you should see field called event which actually contains SEND,DELIVER,RECEIVE 

if you can minus the time of send from time of receive  by message_id then you should get what you want.

————————————
If this helps, give a like below.
0 Karma
Reply

schandrasekar
Loves-to-Learn
‎08-04-2020 10:48 PM

@thambisetty date_time doesn't look like the time when the message was sent by the user. Also, I am looking for original IP field to be the actual sender IP 

https://docs.microsoft.com/en-us/exchange/mail-flow/transport-logs/message-tracking?view=exchserver-...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...