Re: How do I get the first 96 bytes of a file?

daniel333 · ‎01-10-2019

All,

I have a file just packed full of garbage. I really just want the first 96 characters of the file. I thought I could set TRUNCATE=96 on props.conf on my intermediate heavy forwarders and it would limit that to 96 characters, but that does not seem to the case.

Any recommendations? What I might be missing?

woodcock · ‎01-11-2019

Use this instead:

SHOULD_LINEMERGE = false
LINE_BREAKER = (?!)
TRUNCATE = 96
# SEDCMD-keep_first_96_bytes = s/^(.{96}).*$/\1/

FrankVl · ‎01-13-2019

SEDCMD works on _raw, after linebreaking/merging, right? So that is not really going to do any better than truncate?

woodcock · ‎01-14-2019

Good point, see updated answer.

FrankVl · ‎01-10-2019

Truncate works event by event, so if splunk breaks up the file into multiple events (e.g. 1 per line), then it will truncate each of those to 96 bytes.

So to make that truncate work, you'd have to make sure to set your linebreaking config such that it considers the whole file as 1 event.

But this might be one of those cases where it would be easier (and more efficient) to perhaps put some script in place that takes the first 96 bytes and writes it to a separate file for Splunk to read. That also resolves the challenge of dealing with the universal forwarder sending part of the file to one HF and part of the file to another due to auto load balancing.

How do I get the first 96 bytes of a file?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk