I am new to Splunk and need to configure emails coming from different mailboxes into Splunk. I have downloaded the IMAP Mailbox app from the deployment server UI. I need to figure where and what changes need to be made and where it should be deployed.
The TA is part of the download in the addons/directory.
I have this on the deployment server
/opt/splunk/etc/apps/IMAPmailbox and under that I have directories appserver, bin, default, local, metadata, README.md, static
If I look into appserver directory - /opt/splunk/etc/apps/IMAPmailbox/appserver/addons, I find the IMAPmailbox-TA
I find the indexes.conf in /opt/splunk/etc/apps/IMAPmailbox/default and /opt/splunk/etc/apps/IMAPmailbox/appserver/addons/IMAPmailbox-TA/default
[root@wg0305 default]# ls
app.conf fields.conf inputs.conf restmap.conf ui-prefs.conf
data imap.conf macros.conf savedsearches.conf
datamodels.conf indexes.conf props.conf setup.xml
and also in
[root@wg0305 default]# ls
app.conf imap.conf inputs.conf props.conf ui-prefs.conf
datamodels.conf indexes.conf macros.conf savedsearches.conf
I have 2 environment UAT and Production configured for SPLUNK - index name = bluesky-uat and bluesky-prod
I have to pick mail from uat mailbox to bluesky-uat indexes and prod mailbox to bluesky-prod index
Please verify that I am doing the right thing, I have not made any changes to /opt/splunk/etc/apps/IMAPmailbox/appserver/addons/IMAPmailbox-TA/default
1) Log on to Linux deployment server and copied the default/imap.conf to local/imap.conf in opt/splunk/etc/apps/IMAPmailbox (not in /opt/splunk/etc/apps/IMAPmailbox/appserver/addons/IMAPmailbox-TA/default)
2) Changed the imap.conf in local for Email server name, user id/password and port
3) Copy /opt/splunk/etc/apps/IMAPmailbox to opt/splunk/etc/deployment-apps/IMAPmailbox-uat and opt/splunk/etc/deployment-apps/IMAPmailbox-prod on the deployment server
4) Do I need this to go to search server and how do I deploy this from deployment server – with SCp command or reload deploy-server ( which server it needs to be deployed- search head or indexers)
5) Restart Splunk
You just asked a whole bunch of questions. I don't know if I can really answer them.
If you are using a deployment server, you need to be careful with search heads and indexers depending if you used a cluster or not. You could also look at using the deployer method. My instructions below can be done manually, you will need to decide for your self.
You can pick any index you want, just make sure the index is consistent with your UAT or prod across all systems.
Install instructions are in the TA
Install this TA on all Forwarder(s) or Indexer(s) in the SPLUNK/etc/apps/ directory.
Install the App on your Search head(s).
Disable the input script.
Make sure that "disabled = true" for all of the inputs in the App under default/inputs.conf.
Enable inputs on ONE of your TAs.
Pick just one of the TA installs to be the collection point.
Copy defaults/imap.conf to local/imap.conf
Edit local/imap.conf with your correct server and user settings.
Copy defaults/inputs.conf to local/inputs.conf
Edit the inputs.conf file and enable the Unix or Windows script input.
Set "disabled=false" to the script input to enable.
Restart splunk on all systems to make sure settings take affect.