Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are some of the fields showing ascii hex values for string after I get CEF stream data into splunk using cefutils?

sdesigowda
New Member
‎02-07-2018 03:10 PM

Using cefutils I am able to get CEF stream data into Splunk. The issue is some of the fields are showing ascii hex values for a string.
Here is an example CEF data:

Thu Feb  8 07:08:10 2018 1/1/e1 CEF:23|XYZ|metadata|5.3.00|4|metadata generation|6|XYZMdataSslIssuerName=Google Internet Authority G2 dpt=63911 XYZMdataSslValidNotBefore=3138303131363038353430395a XYZMdataSslSerialNo=799d1de89c3718b6000000000000000000000000 XYZMdataSslValidNotAfter=3138303431303038343230305a XYZMdataSslCertSigAlgo=2a864886f70d01010b XYZMdataSslCertSubAlgo=2a8648ce3d02010000 XYZMdataSslCertSubKeySize=65 XYZMdataSslServerVersion=771 XYZMdataSslCertSubAltName=*.google.com XYZMdataSslServerCompressionMethod=192 XYZMdataSslServerCipher=49195 XYZMdataSslServerVersionText=TLSv1.2 XYZMdataSslServerSessionId=125 XYZMdataSslIssuer=2f433d55532f4f3d476f6f676c6520496e632f434e3d476f6f676c6520496e7465726e657420417574686f72697479204732 XYZMdataSslCertSubCommonName=*.google.com XYZMdataSslSub=2f433d55532f53543d43616c69666f726e69612f4c3d4d6f756e7461696e20566965772f4f3d476f6f676c6520496e632f434e3d2a2e676f6f676c652e636f6d dst=10.40.21.68 src=216.58.218.206 spt=443

Look into XYZMdataSslIssuer=2f433d55532f4f3d476f6f676c6520496e632f434e3d476f6f676c6520496e7465726e657420417574686f72697479204732.
value for key "XYZMdataSslIssue" is a string. It's showing ASCII values of character of a string. Where do I make a change so that cefutil ingests this value as string? It's just one example. There are other fields which have different values like date, integer etc.

0 Karma
Reply

to4kawa
Ultra Champion
‎01-26-2020 07:06 PM 
| makeresults
| eval XYZMdataSslIssuer="2f433d55532f4f3d476f6f676c6520496e632f434e3d476f6f676c6520496e7465726e657420417574686f72697479204732"
| rex field=XYZMdataSslIssuer mode=sed "s/(\w{2})/%\1/g"
| eval XYZMdataSslIssuer=urldecode(XYZMdataSslIssuer)

HEX decode is usefull using rex mode=sed and urldecode()

Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...