All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk for IMAP stop indexing data

jamesm84
New Member
‎12-25-2012 04:19 AM

We installed and configured splunk for imap.
it worked and indexed data but from some reason it stopped indexing data after a few hours.

Troubleshooting:

  • verified that the mailbox contains new messages
  • verified that the mailbox was not full.
  • when I ran "/opt/splunk/bin/splunk cmd python /splunk/etc/apps/imap/bin/getimap.py --debug" it connected to the mailbox but from some reason did not find any new messages.
  • I've deleted some of the old messages and change imap.conf filtering to: imapSearch = UNDELETED instead of "imapSearch = UNDELETED SMALLER 204800"
  • After the changes splunk index the new messages

I've enabled debug in imap.conf but not sure what value it adds..

I want to know why it stopped and verify it won't happen again.

Where are the imap app log files located?
How can I troubleshoot it further?

0 Karma
Reply

pbalsley
Path Finder
‎04-03-2014 10:41 PM

You can always search the splunk internal index for errors for the script.

index=_internal imap source="*splunkd.log"

See what you may find.

Also you can " tail -f var/log/splunk/python.log" file too.

I also noticed that if you don't delete your email after indexing "deleteWhenDone = True" in imap.conf, then the python script can take a looooong time to find the next set of emails to index. I noticed the script back logged for 2 hours on my install. I had to purge my mail box and then enable the delete option and things were ok again.

Reply

kristan
Explorer
‎01-22-2013 08:57 PM

Bump. I have a similar issue and the same questions.

If I run via the commandline (as James did above) and pump the output to a log file the log file will get the IMAP entries for the mail in the folder, but the mail index in splunk never gets any data

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...