We installed and configured splunk for imap.
it worked and indexed data but from some reason it stopped indexing data after a few hours.
Troubleshooting:
verified that the mailbox contains new messages
verified that the mailbox was not full.
when I ran "/opt/splunk/bin/splunk cmd python /splunk/etc/apps/imap/bin/getimap.py --debug" it connected to the mailbox but from some reason did not find any new messages.
I've deleted some of the old messages and change imap.conf filtering to: imapSearch = UNDELETED instead of "imapSearch = UNDELETED SMALLER 204800"
After the changes splunk index the new messages
I've enabled debug in imap.conf but not sure what value it adds..
I want to know why it stopped and verify it won't happen again.
Where are the imap app log files located?
How can I troubleshoot it further?
... View more