We have set up a Splunk monitor for getting contents of `/var/spool/mail/root` to Splunk. We are running a Splunk 6.2.8 Universal Forwarder on all the Linux hosts and the Splunk Enterprise version on the indexer is 6.2.1
splunk add monitor /var/spool/mail
Though we are seeing the contents of root's mail on Splunk, they are partial as shown in the attachment. How do we make sure we list the full contents of root's mail rather than the first few lines. ![alt text][1]
[1]: /storage/temp/122225-splunk-image.png
↧