All Apps and Add-ons

IMAP Mailbox: How do I prevent the app from indexing the "=20" character sequence in body of our emails?

vragosta
Path Finder

When IMAP Mailbox indexes the body of our emails into Splunk, it also indexes what is likely a control character (space or break?) in the body of the email which results in the email body being indexed as follows:

Date: =20
System Name: =20
System IP: =20
Version =20
Customer ID: =20

Is there anyway to strip the control character / prevent it from being indexed?

Tags (2)
0 Karma
1 Solution

vragosta
Path Finder

I'm not advocating a change be made to the project, but modifying printBody to use quopri.decodestring worked for me:

# ------------------------------------------------
# print body message to STDOUT for indexing
# ------------------------------------------------
def printBody( self, message, body, cstr 😞
if message.has_key('Content-Transfer-Encoding') and message.get('Content-Transfer-Encoding')=='base64':
try:
body = base64.b64decode(body)
#cstr.write('decoded base64 successfully' + '\n')
except:
cstr.write('WARNING - could not decode base64' + '\n')
cstr.write(quopri.decodestring(body) + '\n')

NOTE: I am not a python programmer.

View solution in original post

vragosta
Path Finder

I'm not advocating a change be made to the project, but modifying printBody to use quopri.decodestring worked for me:

# ------------------------------------------------
# print body message to STDOUT for indexing
# ------------------------------------------------
def printBody( self, message, body, cstr 😞
if message.has_key('Content-Transfer-Encoding') and message.get('Content-Transfer-Encoding')=='base64':
try:
body = base64.b64decode(body)
#cstr.write('decoded base64 successfully' + '\n')
except:
cstr.write('WARNING - could not decode base64' + '\n')
cstr.write(quopri.decodestring(body) + '\n')

NOTE: I am not a python programmer.

pbalsley
Path Finder

Good idea. I will add it on myside as well see if it breaks anything, then I can include it in my next release.
thanks!

ragingwire
Path Finder

I had another person email me about this. but they were able to resolve it on their end. They did not tell me what fixed it.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...