Solved: index unix mailbox

dominiquevocat · ‎08-04-2011

We have many legacy scripts that send status messages by email. We strongly prefer not to modify the scripts and instead look for a way to index the emails.

I had the idea of sending the mails also to a mailbox on a unix server, idealy the machine running a splunk indexer and have the indexer index also the unix-style mailbox file so we can search all the messages.

Is this a) possible, b) sensible and how would i do it? (I guess index the path but yeah).

Thanks

fk319 · ‎08-05-2011

Interesting, it can be done, but there is a bit of work.

First, you will need to Splunk to use the mailbox as a source of logs (input.config). Then you will heve to teach Splunk to parse an mbox file so that each message is a single record (props.config and transform.config), LINEBREAKER I think it is called may be of value.

Is it sensable, that is up to you, it realy is not that hard, just getting splunk to understand mbox format, which is well defiend.

View solution in original post

fk319 · ‎08-05-2011

Interesting, it can be done, but there is a bit of work.

First, you will need to Splunk to use the mailbox as a source of logs (input.config). Then you will heve to teach Splunk to parse an mbox file so that each message is a single record (props.config and transform.config), LINEBREAKER I think it is called may be of value.

Is it sensable, that is up to you, it realy is not that hard, just getting splunk to understand mbox format, which is well defiend.

dominiquevocat · ‎08-24-2011

will give it a try. i mark it as solved, thanks.

index unix mailbox

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform