Re: Does IMAP Mailbox support indexing of attachme...

jamesdaily · ‎03-16-2015

hgehrts_splunk · ‎07-22-2015

I just tested it and it is not working.
There are scripts out there that download attachments to a filesystem. I think that's the way to go as of now.

ragingwire · ‎07-22-2015

if you are looking at simply indexing a CSV file there are other ways to do so, and make the fields a key/value pair as well. That could not get accomplished with simply indexing an email attachment.

You could have a file directory on your splunk waiting to index any file in it, and put file there via FTP, or a custom python script.

Here is an example for importing csv files:

inputs.conf
[batch:///tmp/file.csv]
sourcetype=MINE
move_policy=sinkhole

props.conf
[MINE]
INDEXED_EXTRACTIONS=CSV
FIELD_DELIMITER=,
FIELD_QUOTE="
HEADER_FIELD_LINE_NUMBER=1

ragingwire · ‎07-22-2015

There is a mimeTypes you can set to index different mime types. Default is text/plain. You can play around with that. But I have no tried with csv attachments, nor know what it will look like when indexed.

hgehrts_splunk · ‎07-22-2015

Does this apply to all attachments or only to binary? I found this mime type setting... so if I send an email with a csv attached to it, will splunk be able to index the csv from that email as well if I add text/comma-separated-values to the list of mime types?

ragingwire · ‎03-16-2015

Splunk can only index text data. So attachments could not be indexed.

Does IMAP Mailbox support indexing of attachments, such as emailed CSV attachments?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases