Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I want to monitor my email directory

chris94089
Path Finder
‎07-14-2020 12:56 PM

We see lots of email alerts, and they come from a wide variety of places.  I want to understand them better.  So...

I thought I would have Splunk monitor the offensive email directory on my own machine (elmx files).  Splunk doesn't automatically break events by file, though.  

So then I tried to configure a custom sourcetype using regex, I just captured the beginning and ending lines, and the sourcetype works for a single email file.  

But when I tried to monitor the entire directory using my sourcetype, no data was ingested at all.

Why is this so hard? Splunk already knows that there's different sources, do I want Splunk to stop event breaking altogether? I'll try that...

 

thanks in advance!

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-14-2020 02:06 PM
Please post your current inputs.conf and props.conf files for the elmx files a well as some sample data (sanitized for your protection).
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...