Mail server data
Email remains the primary form of formal communication in most organizations. As such, mail server databases and logs are some of the most important business records. Due to their size and tendency to grow without bounds, email data management typically requires both data retention and archival policies so that only important records are held and inactive data is moved to low cost storage.
Mail server transaction and error logs also are essential debugging tools for IT problem resolution and also may be used for usage-based billing. Mail server data can help identify malicious attachments, malicious domain links and redirects, emails from known malicious domains, and emails from unknown domains. It can also be used to identify emails with abnormal or excessive message sizes, and abnormal email activities times. In the Common Information Model, mail server data is typically mapped to the Email data model.
Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: