Hi Seun,
For our particular use case we are indexing thousands of emails daily that are generated by WHM servers so read only isn't really ideal as they would build up really fast.
We have some alerting in place for certain email events so the previous behavior of stalling indexing when it came across something it couldn't index was a much bigger problem for us as we then needed something to alert us that indexing had stalled, and then still required manual intervention to delete the email it had failed to index. Losing the odd email containing un-supported characters is a much smaller issue as we would generally just delete them anyways (it's usually just things like failed SSH logins with unsupported chars, or failed IMAP logins, etc that stops the processing for us)
That being said, maybe a great option would be to to either:
A, leave them in place but continue to process the others deleting only what was successfully indexed
or
B, and perhaps an even better option - Move them to a different IMAP folder ( for example, dump them in a folder named processing_failed ).
In any case, we are very happy already with the improvements you have made they have made a big difference for us so thank you very much for that.
On a side note, we had the option to include headers disabled on every account it's indexing but it was still including headers for most of the accounts, not sure why it would do that but I was able to resolve it by setting DEFAULT_INCLUDE_HEADERS = False in mail_constants.py
Funny thing is, it was working at first and I think when we upgraded to Splunk Enterprise 7.0.1 it started including headers ( It could be a coincidence I am not certain of this being related but it was definitely around the same time )
Anyways, thanks again for your efforts I am sure there are others out there who really appreciate it too!
Regards.
... View more