Users report us suspicious emails for threat analysis. My idea is to import these emails into Splunk ES and automate analysis. My plan is to use IMAP app for email collection and split it into multiple events with some unique email ID.

Is there a way to use different attributes for event break and assign some common ID for each part? The biggest challenge I face is that email header and body have the same fields extracted i.e. Date: From: To: Subject:

-------------** email we receive ** -----------------

Date = date_reported
From = from_reported
Subject = subject_reported
------------ message Body --------------

Received:received_ip1
Received:received_ip2
.....
Received:received_ipn
Message-ID:message-id
From:from
Date:date
Subject:subject
spf:spf
dkim:dkim
dmarc:dmarc
.....
---------- End message Body-----
Link text:link_text1
Link text:link_text2
.....
URL:url1
URL:url2
.....
URL:urln
File hash:file_hash1
File hash:file_hash2
.....
File hash:file_hashn

-----------** what I want to see in Spulnk **-----------------

emailID date_reported from_reported subject_reported
emailID received_ip1
emailID received_ip2
emailID received_ipn
emailID from date subject spf dkim dmark message-ID
emailID link_text1
emailID link_text2
emailID url1
emailID url2
emailID urln
emailID file_hash1
emailID file_hash2
emailID file_hashn