The mailbox is part of the TA config. Is cloning the TA really the only way to monitor several mailboxes, or am I missing something?
Currently getting the mail per mailbox requires one imap.conf file. You do not need to clone the app exactly, but you could deploy the TA for different mailboxes.
Currently getting the mail per mailbox requires one imap.conf file. You do not need to clone the app exactly, but you could deploy the TA for different mailboxes.
Just to be more clear. The app itself can only call one IMAP account to login and index email. But since this app supports a distributed design, ie, it has a TA you can deploy. There is no reason you could not deploy multiple TAs each configured for a different IMAP mail account.
You can find the TA in the main IMAP Mailbox app directory IMAPmailbox/appserver/addons/IMAPmailbox-TA/
Copy this directory to the main apps directory /opt/splunk/etc/apps/...
Make multiple copies of the TA for each of your accounts.
Then in each TA directory create a local/imap.conf file for each of your email accounts. You are welcome to change their indexes too or other attributes if you wish.
Restart Splunk and check to see if their are indexing.
thanks
There's more to this unfortunately. You have to rename the python scripts because if you have the TA installed on the same box as the App, you'll have a conflict when Splunk expands the path.
12-01-2015 07:51:46.785 +0000 WARN IConfCache - Stanza has an expansion [script:///opt/splunk/etc/apps/IMAPmailbox-TA/bin/get_imap_email.py], ignoring alternate expansion [script:///opt/splunk/etc/apps/IMAPmailbox/bin/get_imap_email.py] in inputs.conf
So what you end up with is the input.conf from the TA overriding the inputs.conf from the app. You effectively stop monitoring one IMAP account and start monitoring the other.
In the TA, I believe you will have to rename the get_imap_email.py to something like get_imap_email2.py and update both inputs.conf in default and local directories.
I had to stop restarting Splunk every 5-10 minutes so we could get some work done. I'll try this again another dy and post my findings.
cloning the TA works as you obtain a different path
Yes, perhaps, but doing what ragingwire described is not complete. You can't just copy the TA to /opt/splunk/etc/apps and update imap.conf. The paths are different:
/opt/splunk/etc/apps/IMAPmailbox/bin/get_imap_email.py
/opt/splunk/etc/apps/IMAPmailbox-TA/bin/get_imap_email.py
But Splunk doesn't seem to care because in inputs.conf, the name of the script is the same:
[script://./bin/get_imap_email.py]
Even though it expands to a different path, when you look at the "Data Inputs" page in Splunk, you'll only see ONE get_imap_email.py enabled and working.
Any updates with this? I'd like to do the same thing, that is monitor multiple IMAP accounts from the same box. Distributing is my last resort.
You are right if the TAs are on the same box as another IMAP TA or main app the files would conflict. If you only have one box you would need to rename everything.
The TA was meant to be installed in a distributed design. So if you had other forwarders you could put one on each per mail account. Then you are not renaming everything.
This almost worked. There seems to be a problem with inputs.conf and the name of the script. After copying the TA to /opt/splunk/etc/apps and making the changes you described, Splunk logged the following:
12-01-2015 07:51:46.785 +0000 WARN IConfCache - Stanza has an expansion [script:///opt/splunk/etc/apps/IMAPmailbox-TA/bin/get_imap_email.py], ignoring alternate expansion [script:///opt/splunk/etc/apps/IMAPmailbox/bin/get_imap_email.py] in inputs.conf
When you look at the "Data Inputs" in Splunk, the input for the IMAPmailbox app was replaced by the "new" input for IMAPmailbox-TA.
So it's more involved than just copying the TA to /opt/splunk/etc/apps. I think you would also have to rename the python script to get_imap_email2.py and update the inputs.conf files in default and local before it will work.
I had to stop playing around as I was restarting Splunk every 5-10 minutes... will try again later and post my findings.