Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to loop through data fields and store the result in a different data field?

ashishlal82
Explorer
‎06-23-2016 11:22 AM

Hi,
I am trying to find a solution to the below problem:

HASH (Data field name)
001300A5323BF6C1812B686C1C896857D4CF85C676E48F451D8CB7B9A8F0AFE0

002A2F5CFCF551F27EF4637480C60FC7CEEB53ADE3233F8645D89FFDB39A3A58

00330A0E0EB1DBB6EE84997963F8E15C7C15C1DF787F1C7F109609D7B31BD35C

005ECF2A6C557DDCEC50E8BF5627BA9C

The above field contains HASH values
Question : how to I loop through the above HASH values and weed out if a particular value is sha256- or md5. I researched an sha256 value contains 64digits and MD5 32 digits. So in the case above. If a field value is 64 digits I would like create data field named Hash type and corresponding value.

Output
hash type hash
sha256 001300A5323BF6C1812B686C1C896857D4CF85C676E48F451D8CB7B9A8F0AFE0
sha256 002A2F5CFCF551F27EF4637480C60FC7CEEB53ADE3233F8645D89FFDB39A3A58
sha256 00330A0E0EB1DBB6EE84997963F8E15C7C15C1DF787F1C7F109609D7B31BD35C
md5 005ECF2A6C557DDCEC50E8BF5627BA9C

I have tried using eval and case and len funtions ,but then I am not sure how to do I loop through the fields one by one and find the length, how do I set my pointer?

Any suggestions?

Tags (4)
0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎06-23-2016 11:48 AM

Is has a multivalued field (one event contains multiple values)?

0 Karma
Reply

ashishlal82
Explorer
‎06-23-2016 11:56 AM

its not a multivalued field. One event contains a unique value and after filtering my data from bigfix, splunk I identified these hashes as "invalid" and my goal is weed out by counting char length and check if its sha256 or md5.
I tried exactly the same query you wrote and that didn't work.

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎06-23-2016 11:58 AM

Check the field names as they are case-sensitive.

0 Karma
Reply

ashishlal82
Explorer
‎06-23-2016 12:07 PM

heres me query

index=res sourcetype=res_auth_file_hashes| stats values(HASH) by HASH_TYPE | where HASH_TYPE!="SHA-256"|eval HASH_TYP= case(len(HASH)=64,"sha",len(HASH)=32,"md5")

And current output
HASH_TYPE values(HASH)↕
INVALID 001300A5323BF6C1812B686C1C896857D4CF85C676E48F451D8CB7B9A8F0AFE0
002A2F5CFCF551F27EF4637480C60FC7CEEB53ADE3233F8645D89FFDB39A3A58
00330A0E0EB1DBB6EE84997963F8E15C7C15C1DF787F1C7F109609D7B31BD35C
005ECF2A6C557DDCEC50E8BF5627BA9C
007BEFA1DC79145968EB2277A08AA0CC2561C952B138E015301B832B25A7DA3C

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎06-23-2016 12:08 PM

The HASH_TYPE is not set at stats/where command. Move the eval - HASH_TYPE command to before stats

0 Karma
Reply

ashishlal82
Explorer
‎06-23-2016 12:32 PM

Sorry, I did not understand your answer. And not sure how would moving eval -HASH_TYPE command to before stats would make a difference.

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎06-23-2016 12:35 PM 
index=res sourcetype=res_auth_file_hashes |eval HASH_TYPE= case(len(HASH)=64,"sha",len(HASH)=32,"md5")| table HASH HASH_TYPE | where HASH_TYPE!="SHA-256"
0 Karma
Reply

ashishlal82
Explorer
‎06-23-2016 12:39 PM

got it thanks

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎06-23-2016 11:46 AM

Try

Base search | eval type= case(len(hash)=64,"sha",len(hash)=32,"md5")

------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...