Deployment Architecture

index unix mailbox

dominiquevocat
SplunkTrust
SplunkTrust

We have many legacy scripts that send status messages by email. We strongly prefer not to modify the scripts and instead look for a way to index the emails.

I had the idea of sending the mails also to a mailbox on a unix server, idealy the machine running a splunk indexer and have the indexer index also the unix-style mailbox file so we can search all the messages.

Is this a) possible, b) sensible and how would i do it? (I guess index the path but yeah).

Thanks

Tags (2)
1 Solution

fk319
Builder

Interesting, it can be done, but there is a bit of work.


First, you will need to Splunk to use the mailbox as a source of logs (input.config). Then you will heve to teach Splunk to parse an mbox file so that each message is a single record (props.config and transform.config), LINEBREAKER I think it is called may be of value.


Is it sensable, that is up to you, it realy is not that hard, just getting splunk to understand mbox format, which is well defiend.

View solution in original post

fk319
Builder

Interesting, it can be done, but there is a bit of work.


First, you will need to Splunk to use the mailbox as a source of logs (input.config). Then you will heve to teach Splunk to parse an mbox file so that each message is a single record (props.config and transform.config), LINEBREAKER I think it is called may be of value.


Is it sensable, that is up to you, it realy is not that hard, just getting splunk to understand mbox format, which is well defiend.

dominiquevocat
SplunkTrust
SplunkTrust

will give it a try. i mark it as solved, thanks.

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...