Community:Splunk for IMAP
From Splunk Wiki
Splunk for IMAP
This application continually downloads mail from an IMAP account and sends it to a Splunk server for indexing. You can do cool things like see how often you get mail from someone, graph by size, time, etc. Each message is treated as a separate Splunk event.
Download the Splunk for IMAP application
Download the application from SplunkBase here: Splunk for IMAP.
Install Splunk for IMAP
1. Copy the IMAP application directory into
local/imap.conf and provide the required settings for connecting to your IMAP server (server, user, password). See the comments in the file for more details about all required and optional settings.
3. Restart the Splunk server.
Note: By default, the IMAP application will create a new index named "mail" in the file default/indexes.conf. If you want the IMAP output to go to the default Splunk index, remove
index = mail in
props.conf and delete
Required input changes
- server to be your mail server, for example "mail.spool.com" or "22.214.171.124"
- port if you are using a non-standard port
- user to be your login name
- password to be your password in plain text.
- xpassword to your encrypted password. To get an encrypted version of your password, run the
genpassword.shscript in this application's bin directory. Copy and paste its output to
Note: There are two ways to supply a password.
password is plain text and
xpassword is an encrypted password.
Optional input changes
The following input changes are optional:
- maxsize = <number> By default we index messages no larger than 200k. You can change this by setting
- indexHeaders = True/False if you want full header info
- indexBody = True/False if you want the entire body indexed.
- match = <regex> This will only index messages that match this regex. For example, if you only wanted to index mail that had a certain subject, you could do so here.
- filter = <regex> This will filter out and index only the content that matches the regex. Unlike
match, which just passes the entire message on if it matches,
filterwill carve up the body and only pass on certain parts. This is useful if you want to pull out certain parts of the message.
Message headers are indexed as key-value pairs, for example:
From = "erik swan <email@example.com> Subject = "This is sooo cool"
This makes it easy to generate reports from the email indexed in Splunk. For example:
index::mail | top From
Also, note the quotes around the field values. This makes it easy to perform searches 'where' or regexes. For example, if you want to find all your email that was sent by Will, do the following:
index::mail | regex From = "Will"
If encrypted passwords are being used, the user needs to run the provided genpass.sh script, once for the mailbox password and once for the splunk server password. Cut/copy/paste the generated encrypted password and place it into the