Does IMAP Mailbox support indexing of attachments,...

jamesdaily · ‎03-16-2015

hgehrts_splunk · ‎07-22-2015

I just tested it and it is not working.
There are scripts out there that download attachments to a filesystem. I think that's the way to go as of now.

ragingwire · ‎07-22-2015

if you are looking at simply indexing a CSV file there are other ways to do so, and make the fields a key/value pair as well. That could not get accomplished with simply indexing an email attachment.

You could have a file directory on your splunk waiting to index any file in it, and put file there via FTP, or a custom python script.

Here is an example for importing csv files:

inputs.conf
[batch:///tmp/file.csv]
sourcetype=MINE
move_policy=sinkhole

props.conf
[MINE]
INDEXED_EXTRACTIONS=CSV
FIELD_DELIMITER=,
FIELD_QUOTE="
HEADER_FIELD_LINE_NUMBER=1

ragingwire · ‎07-22-2015

There is a mimeTypes you can set to index different mime types. Default is text/plain. You can play around with that. But I have no tried with csv attachments, nor know what it will look like when indexed.

hgehrts_splunk · ‎07-22-2015

Does this apply to all attachments or only to binary? I found this mime type setting... so if I send an email with a csv attached to it, will splunk be able to index the csv from that email as well if I add text/comma-separated-values to the list of mime types?

ragingwire · ‎03-16-2015

Splunk can only index text data. So attachments could not be indexed.

Does IMAP Mailbox support indexing of attachments, such as emailed CSV attachments?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life