Hi,
I am trying to find a solution to the below problem:
HASH (Data field name)
001300A5323BF6C1812B686C1C896857D4CF85C676E48F451D8CB7B9A8F0AFE0
002A2F5CFCF551F27EF4637480C60FC7CEEB53ADE3233F8645D89FFDB39A3A58
00330A0E0EB1DBB6EE84997963F8E15C7C15C1DF787F1C7F109609D7B31BD35C
005ECF2A6C557DDCEC50E8BF5627BA9C
The above field contains HASH values
Question : how to I loop through the above HASH values and weed out if a particular value is sha256- or md5. I researched an sha256 value contains 64digits and MD5 32 digits. So in the case above. If a field value is 64 digits I would like create data field named Hash type and corresponding value.
Output
hash type hash
sha256 001300A5323BF6C1812B686C1C896857D4CF85C676E48F451D8CB7B9A8F0AFE0
sha256 002A2F5CFCF551F27EF4637480C60FC7CEEB53ADE3233F8645D89FFDB39A3A58
sha256 00330A0E0EB1DBB6EE84997963F8E15C7C15C1DF787F1C7F109609D7B31BD35C
md5 005ECF2A6C557DDCEC50E8BF5627BA9C
I have tried using eval and case and len funtions ,but then I am not sure how to do I loop through the fields one by one and find the length, how do I set my pointer?
Any suggestions?
Is has a multivalued field (one event contains multiple values)?
its not a multivalued field. One event contains a unique value and after filtering my data from bigfix, splunk I identified these hashes as "invalid" and my goal is weed out by counting char length and check if its sha256 or md5.
I tried exactly the same query you wrote and that didn't work.
Check the field names as they are case-sensitive.
heres me query
index=res sourcetype=res_auth_file_hashes| stats values(HASH) by HASH_TYPE | where HASH_TYPE!="SHA-256"|eval HASH_TYP= case(len(HASH)=64,"sha",len(HASH)=32,"md5")
And current output
HASH_TYPE values(HASH)↕
INVALID 001300A5323BF6C1812B686C1C896857D4CF85C676E48F451D8CB7B9A8F0AFE0
002A2F5CFCF551F27EF4637480C60FC7CEEB53ADE3233F8645D89FFDB39A3A58
00330A0E0EB1DBB6EE84997963F8E15C7C15C1DF787F1C7F109609D7B31BD35C
005ECF2A6C557DDCEC50E8BF5627BA9C
007BEFA1DC79145968EB2277A08AA0CC2561C952B138E015301B832B25A7DA3C
The HASH_TYPE is not set at stats/where command. Move the eval - HASH_TYPE command to before stats
Sorry, I did not understand your answer. And not sure how would moving eval -HASH_TYPE command to before stats would make a difference.
index=res sourcetype=res_auth_file_hashes |eval HASH_TYPE= case(len(HASH)=64,"sha",len(HASH)=32,"md5")| table HASH HASH_TYPE | where HASH_TYPE!="SHA-256"
got it thanks
Try
Base search | eval type= case(len(hash)=64,"sha",len(hash)=32,"md5")