Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Mandrill Webhooks CIM mapping
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mandrill Webhooks CIM mapping
I am importing Mandrill webhook data into Splunk, the format is described here:
http://help.mandrill.com/entries/58303976-Message-Event-Webhook-format
I want to map this data to the CIM Email format defined here:
http://docs.splunk.com/Documentation/CIM/latest/User/Email
Is it better practice to log the raw Mandrill format and build the data object in Splunk, or to transform the data into CIM Email format before logging? CPU time to map the data on import is negligible.
thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Splunk CIM is really a way to overlay a model on top of the raw events. The power of Splunk is that you don't need to fit it into a model when your raw events come in as you can always make changes during design time.
In my experience I tend to leave the raw events as native as possible, so that it has the full richness of the source. Then use knowledge items, such as the CIM to enhance and normalize. The overhead of doing this is negligible. Additionally, if you use the CIM model you can accelerate your data which improves your overall search.
On a side note - I'm looking at doing WebHooks with Mandrill as well. Can you share how you've implemented the hooks?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The implementation of this was to ingest the raw events from Mandrill and write to a log file for Splunk. The tricky part is all the json parsing at search time. We ended up having to inject some keys into the object at log time to get spath to play nice.
Bet sure to enable the notification in Mandrill if the webhook fails, otherwise you may be silently missing messages.
With everything set up properly, we are able to tell which SMTP servers are delaying mail delivery and notify the client of potential problems.
-daniel
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Daniel -
Thanks for the tips.
Henri
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
