Overview
Using my Splunk Storm Webhook and an email service provider like Email Yak we can easily index, search and report on email messages using Splunk Storm.
Steps
- Follow the instructions for setting up the Splunk Storm Webhook.
- Sign up with Email Yak and register a new domain:
3. Send a test email: echo 'this is a test email'| mail -s 'test email' gba@emailtostorm.simpleyak.com
4. Search for and report on your email with Splunk Storm:
Bonus
Here's another useful search that extracts the message body and displays it as a table:
*simpleyak* | spath output=TextBody TextBody | table TextBody
Other Email Services
When I initially wrote this article I chose Email Yak as my provider because of their 'Free' account level and Email Push via HTTP POST (aka Webhooks) support. As it turns out, our friends over at mailgun also support Email Push via HTTP POST. The difference here is that Email Yak POSTs messages as JSON, where as mailgun POSTs messages in their original RFC2822 format.
It is possible to index both of these formats with Splunk Storm given one
change in my Webhook. In app.py on line 31 change sourcetype from
generic_single_line to storm_multi_line:
def storm():
"""Endpoint handler for POST requests."""
sourcetype = 'storm_multi_line'
source = 'webhook'