Splunk consuming email alerts from other monitoring tools


Hi All,

does anyone know of an app or configuration to consume email alerts generated by other monitoring tools. it seems that every monitoring tool has the ability to send alerts via email, but none seem to be able to receive the email and consume the information, at least not easily.

the thought is to simply add a splunk email address that gets sent to the splunk server/collector and then be able to splunk on the data provided.



Tags (2)

Splunk Employee
Splunk Employee

Inspired by duckfez's advice, here is how I caught CSVs sent to Splunk> on Ubuntu 16.04LTS using fetchmail procmail and uudeview

Install fetchmail procmail and uudeview

mattymo@n00bserver:~$apt install fetchmail procmail uudeview

Create directories in your $HOME

mattymo@n00bserver:~$mkdir mail_backup
mattymo@n00bserver:~$mkdir mail_attachments
mattymo@n00bserver:~$mkdir mail_logs

Create .fetchmailrc in $HOME and configure

mattymo@n00bserver:~$vi .fetchmailrc

Copy & Paste:

####OCTOBER 17 2016 - mattymo in the n00blab making Splunk> eat csv sent by other systems
#Big up Falko Timme -
#Big up Thomas Kuther -

set syslog 
set logfile "mail_logs/fetchmail.log"
set postmaster "mattymo"
set daemon 300

poll <yourmailserver> proto POP3 port <yourport>   
    user "<youremailaddress>" there with password "<yourpassword>" is <youruser> here 

mda '/usr/bin/procmail -d %T'

Lock fetchmailrc down

mattymo@n00bserver:~$chmod 600 .fetchmailrc

Configure .procmailrc

mattymo@n00bserver:~$ vi .procmailrc

Copy & Paste

#OCTOBER 17 2016 - mattymo in the n00blab making Splunk> eat csv sent by other systems
#Big up duckfez
#Big up Thomas Kuther -

#Log to mail_logs


   # backup the complete mail first..
   # you can leave out this part if you don't want a backup of the complete mail

   # Now the actual unpacking part
   # forward to uudeview and unpack attachments to $HOME/attachments
   | uudeview -p $HOME/mail_attachments -

Now on to crafting an inputs.conf to only consume .csv$ from the mail_attachments and playing with more email settings and scenarios! Will update here as I go!

Feedback welcome!

- MattyMo


I've not done it, but this should be near-trivial on any linux server that uses procmail as a delivery agent. On the Splunk side, configure a batch input in inputs.conf as follows:

move_policy = sinkhole
sourcetype = inbound_mail

In props.conf, set up a LINE_BREAKER to make the whole-file a single event:


Basically, setting a "statistically unlikely to occur" LINE_BREAKER...

Then, in the splunk user's .procmailrc:


* Subject: .*

With this result, procmail should take each inbound message and put it in a unique file in $HOME/mailqueue. These will be picked up by Splunk and indexed as whole files. You can tune the .procmailrc to only index certain subjects, or messages from certain places - procmail is very capable.

Splunk Employee
Splunk Employee

There is a Splunk App for importing email via IMAP here:



I was looking for something that wasn't pulling from a mail server but consuming the mail that gets sent to a server. For example, spinning up sendmail on the splunk server that receives mail for and then locally consuming the data. I'll check into this though.

thanks again!

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...