Splunk Search

Is there any way to decode an encoded html values saved in a log file?

Boopalan
New Member

I want decode all the encoded html values present in an log file while indexing itself.
Is there any way to do it ?

0 Karma

sampathramtvnr
New Member

urldecode works for decoding the values of URL addresses and strings
Try the below examples:

with url :
| makeresults

| eval field1= "f%23has%2Bofh%20a"
| eval field1 = urldecode(field1)

with string:
For example you already have field value then,
| rex mode=sed field=field1 "s/ / /g"
| eval a=urldecode(field1)

0 Karma

pkeenan87
Communicator

You could try and decode it at search time with the urldecode eval function:

https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/TextFunctions

0 Karma

Boopalan
New Member

@pkeenan87, urldecode function is not working as expected. I tried doing that but that is working only for decoding values of url addresses not for an string containing ASCII encoded values in html.

0 Karma

dmarling
Builder

Urldecode decodes with the url encoding that starts with a precentage sign. You can manipulate the data a bit to force it to work. Using the most recent example by @Boopalan I got it to work, but I had to manually account for the HTML Encoded Line Feed character

Run anywhere example:

| makeresults count=1
| eval data="- 
--  Start of getter Meods
retiremevice.io.ReturnCd: 0
retiremevice.io.RtSCd:"
| eval test=data
| rex mode=sed field=test "s/
/\n/g"
| rex mode=sed field=test "s/&#x?([^\;]+);/%\1/g"
| eval test2=urldecode(test)

It makes it look like this when it runs:

- 
--  Start of getter Meods
retiremevice.io.ReturnCd: 0
retiremevice.io.RtSCd:
If this comment/answer was helpful, please up vote it. Thank you.

Boopalan
New Member

Hey Splunk folks,
Is there any possible way/ideas to do that?

0 Karma

niketn
Legend

@Boopalan any example from the log where html values are encoded? Which kind of encoding is in place? Also are these specific technology logs or are they custom logs? Please mock/anonymize any sensitive data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Boopalan
New Member

@niketnilay, PFB sample of encoded html values in the log file.

%[datetime] [Default: 0] [] [INFO ] [*] - 
--  Start of getter Meods
retiremevice.io.ReturnCd: 0
retiremevice.io.RtSCd: 
0 Karma

niketn
Legend

@Boopalan, for the above text what is the expected decoded characters? I am not sure if this looks like either encoding or escaping of special characters. Would need to wait for others to comment. Or more details would help us assist you better!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...