Spread our blog

How to Analyze GMAIL Data Using SPLUNK

In this 21st century mostly we use the gmail account for sharing the documents and also for sending the important information to our known people. So here we’ll show how to analyze your gmail data using splunk.

Step 1: Download your GMAIL Data from Google Takeout
 a) At first you have to login to your gmail account by your credential.

SC_Loging_Gmail_ID

b) Then you have to download your gmail data from the google takeout

To download the gmail data you have to go the below url.
URL : https://takeout.google.com/settings/takeout

SC_Selecting_Google_Products_To_Download

c) Then selecting your gmail click on the “NEXT” to make archives

SC_Next

d) Then create your archives data 

SC_Zip_2GB

e ) Now you can download your data

SC_Download_Option

SC_Downloaded_Tick

 

f) You also receive one email when the archive is done

email

g) Then you have to extract the data from the zip file

ARc

Step 2: Add the gmail data into splunk
a) Put the extracted data into splunk.
The navigation is shown below.
“Settings” > “Add Data” > “Upload”

Screenshot (115)

Screenshot (116)

b) Select the data from your local machine

Screenshot (117)

 

SC_Preview_Gmail_Data

c) Then you have to configure the Advanced option as follows

MAX_EVENTS = 100000
BREAK_ONLY_BEFORE = From\s.+?@
MAX_TIMESTAMP_LOOKAHEAD = 150
NO_BINARY_CHECK = 1
TRUNCATE = 100000
MAX_DAYS_AGO = 3652

SC_Props_Configuration

d) After that specify a sourcetype name
Here we have given the sourcetype name as GmailData.

SC_Setting_SourceType

e) Create a new index where you want to store the data
Here we have given the index name as gmail.

SC_Setting_IndexName

f) At last you will be able to see the gmail data as events in the splunk

SC_DataInside_Splunk

 Step 3: Now you will get to know about the data in gmail as follows 

i) Top 10 Sender of Gmail

index="gmail" sourcetype="GmailData"
| rex field=_raw "To\s*:\s*(.*?)(?P[\w]+@[\w]+.[\w]+)"
| rex field=_raw "From\s*:\s*(.*?)(?P[\w]+@[\w]+.[\w]+)"
| rex field=_raw "X-Gmail-Labels\s*:\s*(?P[\w]+,[\w]+)" 
| top Gmail_From
| fields - percent

ii ) Number of Emails Received 

index="gmail" sourcetype="GmailData"
| rex field=_raw "To\s*:\s*(.*?)(?P[\w]+@[\w]+.[\w]+)"
| rex field=_raw "From\s*:\s*(.*?)(?P[\w]+@[\w]+.[\w]+)"
| rex field=_raw "X-Gmail-Labels\s*:\s*(?P[\w]+,[\w]+)"
| search Gmail_Sub="*Inbox*"
| stats count as "TotalInboxEmail"

iii ) People you’ve received the most Emails from 

index="gmail" sourcetype="GmailData"
| rex field=_raw "To\s*:\s*(.*?)(?P[\w]+@[\w]+.[\w]+)"
| rex field=_raw "From\s*:\s*(.*?)(?P[\w]+@[\w]+.[\w]+)"
| rex field=_raw "X-Gmail-Labels\s*:\s*(?P[\w]+,[\w]+)"
| search NOT Gmail_From="splunkgeek@gmail.com" 
| top Gmail_From

iv) People you’ve sent the most Emails to

index="gmail" sourcetype="GmailData"
| rex field=_raw "To\s*:\s*(.*?)(?P[\w]+@[\w]+.[\w]+)"
| rex field=_raw "From\s*:\s*(.*?)(?P[\w]+@[\w]+.[\w]+)"
| rex field=_raw "X-Gmail-Labels\s*:\s*(?P[\w]+,[\w]+)"
| search NOT Gmail_To="splunkgeek@gmail.com"
| top Gmail_From

 

You can also know about :  How To Migrate Splunk Without Stopping Splunkd( Using RSYNC command)

Hope this has helped you in achieving the below requirement without fail :
How to Analyze GMAIL Data Using SPLUNK
Happy Splunking !!

 

 

What’s your Reaction?
+1
+1
+1
+1
+1
1
+1
+1

Spread our blog

RELATED ARTICLESMORE FROM AUTHOR

2 COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here