We see lots of email alerts, and they come from a wide variety of places. I want to understand them better. So...
I thought I would have Splunk monitor the offensive email directory on my own machine (elmx files). Splunk doesn't automatically break events by file, though.
So then I tried to configure a custom sourcetype using regex, I just captured the beginning and ending lines, and the sourcetype works for a single email file.
But when I tried to monitor the entire directory using my sourcetype, no data was ingested at all.
Why is this so hard? Splunk already knows that there's different sources, do I want Splunk to stop event breaking altogether? I'll try that...
thanks in advance!