All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

IMAP Mailbox caching does not work on splunk 7+ (workaround to prevent dups)

langd
New Member
‎04-15-2020 08:21 PM

the code to keep track of what messages it has processed in splunk does not work with Splunk 7

but a simple workaround is to add a line around line 678 of get_imap_email.py (search for \Deleted and add the line outside of the if condition)

                    M.store(num, '+Flags', '(\Flagged)')

This will flag each message (the Important flag in outlook/exchange) and then you can search for UNFLAGGED in your imap.conf (or UNDELETED UNFLAGGED if you want to be a bit more careful)

As each message is processed, it will get flagged on the IMAP server, and not processed again. This will let you have two copies running on different heavy forwarders for redundancy (although there is some chance that both copies will process the same messages at the same time and duplicate them, but it's unlikely)

Tags (1)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...