Splunk MIME Decoder add-on allows for decoding MIME-encoded (URL-encoded) strings. It was developed to decode field values containing ciphered email subjects as a by-product of an email going through Cisco ESA email proxy. Add-on provides a custom search command to do this. The main advantage of this command is that it is able to decode any MIME-encoded string in any charset, not just in UTF-8 which is a limitation of standard SPL eval function urldecode.
None
Install on Splunk Search Head only.
No need to configure this app.
Use command as per example below. Input and output fields may have the same name.
| mimedecode <field_with_encoded_text> <field_with_decoded_text>
| makeresults count=1
| eval field1_in="=?UTF-8?Q?Alert_Google_=E2=80=93_Bank_of_England?="
| eval field2_in="=?ISO-8859-2?Q?RE=3A_Odpov=EC=EF=3A_Terasy_C1?="
| mimedecode field1_in field1_out
| mimedecode field2_in field2_out
| Input String | Input MIME-encoded Charset | Output String |
| =?UTF-8?Q?Alert_Google_=E2=80=93_Bank_of_England?= | UTF-8 | Alert Google - Bank of England |
| =?ISO-8859-2?Q?RE=3A_Odpov=EC=EF=3A_Terasy_C1?= | ISO-8859-2 | RE: Odpověď: Terasy C1 |
Add-on was successfully tested with these charsets: UTF-8, Windows-1250, ISO-8859-2. However, it should work for many other charsets just as well.
This add-on relies on Python and its email standard library (an email and MIME handling package). You can check details at https://docs.python.org/3/library/email.header.html.
There were some issues with Japanese charset. This has to be investigated more.
Main credit belongs to Brian Kirk who write initial core python code back in 2014.
I am open for any feedback at tomik.moser@gmail.com.
Regenerated in Splunk Add-on Builder 4.2 to comply with the most recent Splunk Cloud AppInspect vetting checks.
Regenerated in Splunk Add-on Builder 4.1.3 to comply with the most recent Splunk Cloud AppInspect vetting checks.
Bug fix: Upgraded Splunk python SDK to version 1.6.15 to fix a bug SPL-194426.
Fixed bug: Command failed in Splunk 8.1.x with error "apps/Alef_TA_MIMEDecoder/bin/MIMEdecode.py", line 43 : module 'email' has no attribute 'Errors'"
Bug fix: SPL command failed when an event didn't contain a field being decoded.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.