- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Why is the IMAPMailbox Mail not indexing?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am looking for some help figuring out why the mail is not indexing.
When I run /opt/splunk/bin/splunk cmd python bin/get_imap_email.py –debug at the very end, I see the test email I sent into that mailbox:
DEBUG:splunk.rest:simpleRequest < server responded status=200 responseTime=0.0098s
DEBUG:splunk.search:getStatus - elapsed=0.00991606712341 nextRetry=0.0500000078002
DEBUG:root:
DEBUG:root: mailbox was empty
DEBUG:splunk.search:Executing action=cancel on job id=1519852592.75
DEBUG:splunk.rest:simpleRequest > POST https://localhost:8089/services/search/jobs/1519852592.75/control [action=cancel] sessionSource=direct timeout=30
DEBUG:splunk.rest:simpleRequest < server responded status=200 responseTime=0.0071s
DEBUG:root:using last time of
\*\*\*SPLUNK\*\*\* source=Inbox sourcetype=imap host=outlook.office365.com
EndIMAPMessage
DEBUG:root:about to get all mail up to counter :1
DEBUG:root:about so imap search with : (UNDELETED 1:201)
DEBUG:root:returned from search with 1ids
DEBUG:root:id return from search : ['1']
Date = "28-Feb-2018 12:58:23 -0800"
From = "Mouse, Mickey (DIS) mickey.mouse@domain.tld"
To = "Mailbox, IMAP (DIS) imapmailbox@domain.tld"
Subject = "test" mailbox = "Inbox" size = 12867
____________________ Message Body ____________________
html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microso…
So from the CLI, it seems to eventually pull the email but the index is not seeing it. Even the index=* search doesn’t find the mail. Do you have any other suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, once I got to the above configuration and confirmation via CLI, it was just a matter of changing the inputs.conf to reflect the architecture of my splunk instance not the mail server - as I originally thought.
Thanks to pj@dysan.net for helping me via email. (I only mention because the email was referenced in the README and on BASE and I want to both give props and denote that the email address is monitored
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, once I got to the above configuration and confirmation via CLI, it was just a matter of changing the inputs.conf to reflect the architecture of my splunk instance not the mail server - as I originally thought.
Thanks to pj@dysan.net for helping me via email. (I only mention because the email was referenced in the README and on BASE and I want to both give props and denote that the email address is monitored
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
