When IMAP Mailbox indexes the body of our emails into Splunk, it also indexes what is likely a control character (space or break?) in the body of the email which results in the email body being indexed as follows:
Date: =20
System Name: =20
System IP: =20
Version =20
Customer ID: =20
Is there anyway to strip the control character / prevent it from being indexed?
I'm not advocating a change be made to the project, but modifying printBody to use quopri.decodestring worked for me:
# ------------------------------------------------
# print body message to STDOUT for indexing
# ------------------------------------------------
def printBody( self, message, body, cstr 😞
if message.has_key('Content-Transfer-Encoding') and message.get('Content-Transfer-Encoding')=='base64':
try:
body = base64.b64decode(body)
#cstr.write('decoded base64 successfully' + '\n')
except:
cstr.write('WARNING - could not decode base64' + '\n')
cstr.write(quopri.decodestring(body) + '\n')
NOTE: I am not a python programmer.
I'm not advocating a change be made to the project, but modifying printBody to use quopri.decodestring worked for me:
# ------------------------------------------------
# print body message to STDOUT for indexing
# ------------------------------------------------
def printBody( self, message, body, cstr 😞
if message.has_key('Content-Transfer-Encoding') and message.get('Content-Transfer-Encoding')=='base64':
try:
body = base64.b64decode(body)
#cstr.write('decoded base64 successfully' + '\n')
except:
cstr.write('WARNING - could not decode base64' + '\n')
cstr.write(quopri.decodestring(body) + '\n')
NOTE: I am not a python programmer.
Good idea. I will add it on myside as well see if it breaks anything, then I can include it in my next release.
thanks!
I had another person email me about this. but they were able to resolve it on their end. They did not tell me what fixed it.