I am new to Splunk and need to configure emails coming from different mailboxes into Splunk. I have downloaded the IMAP Mailbox app from the deployment server UI. I need to figure where and what changes need to be made and where it should be deployed.
The TA is part of the download in the addons/directory.
I have this on the deployment server
/opt/splunk/etc/apps/IMAPmailbox and under that I have directories appserver, bin, default, local, metadata, README.md, static
If I look into appserver directory - /opt/splunk/etc/apps/IMAPmailbox/appserver/addons, I find the IMAPmailbox-TA
I find the indexes.conf in /opt/splunk/etc/apps/IMAPmailbox/default and /opt/splunk/etc/apps/IMAPmailbox/appserver/addons/IMAPmailbox-TA/default
/opt/splunk/etc/apps/IMAPmailbox/default
[root@wg0305 default]# ls
app.conf fields.conf inputs.conf restmap.conf ui-prefs.conf
data imap.conf macros.conf savedsearches.conf
datamodels.conf indexes.conf props.conf setup.xml
and also in
/opt/splunk/etc/apps/IMAPmailbox/appserver/addons/IMAPmailbox-TA/default
[root@wg0305 default]# ls
app.conf imap.conf inputs.conf props.conf ui-prefs.conf
datamodels.conf indexes.conf macros.conf savedsearches.conf
I have 2 environment UAT and Production configured for SPLUNK - index name = bluesky-uat and bluesky-prod
I have to pick mail from uat mailbox to bluesky-uat indexes and prod mailbox to bluesky-prod index
Please verify that I am doing the right thing, I have not made any changes to /opt/splunk/etc/apps/IMAPmailbox/appserver/addons/IMAPmailbox-TA/default
1) Log on to Linux deployment server and copied the default/imap.conf to local/imap.conf in opt/splunk/etc/apps/IMAPmailbox (not in /opt/splunk/etc/apps/IMAPmailbox/appserver/addons/IMAPmailbox-TA/default)
2) Changed the imap.conf in local for Email server name, user id/password and port
3) Copy /opt/splunk/etc/apps/IMAPmailbox to opt/splunk/etc/deployment-apps/IMAPmailbox-uat and opt/splunk/etc/deployment-apps/IMAPmailbox-prod on the deployment server
4) Do I need this to go to search server and how do I deploy this from deployment server – with SCp command or reload deploy-server ( which server it needs to be deployed- search head or indexers)
5) Restart Splunk
... View more