topic Re: How to breakdown TLV (Tag Length Value) format in Knowledge Management

How to breakdown TLV (Tag Length Value) format

vinayr9 — Sat, 06 Jun 2020 17:36:13 GMT

I've a field in TLV format, how can I break it down and display in a readable format

data in TLV format: 0104ABCD0203XYZ0502MQ

How can I break it down like below:

01 - Subfield 01
04 - Lenght of Subfield 01
ABCD - Content of Subfield 01

02 - Subfield 02
03 - Length of Subfield 02
XYZ - Content of Subfield 02

05 - Subfield 05
02 - Lenght of Subfield 05
MQ - Content of Subfield 05

Re: How to breakdown TLV (Tag Length Value) format

to4kawa — Sat, 11 Jan 2020 00:29:40 GMT

| makeresults
| eval _raw="0104ABCD0203XYZ0502MQ"
| rex "(?<sub1>01)(?<sub1_len>\d+)(?<sub1_msg>.+?(?=02))(?<sub2>02)(?<sub2_len>\d+)(?<sub2_msg>.+?(?=05))(?<sub5>05)(?<sub5_len>\d+)(?<sub5_msg>.+)"

If it is not an actual log, I don't know whether it is working.

Re: How to breakdown TLV (Tag Length Value) format

vinayr9 — Mon, 13 Jan 2020 19:31:21 GMT

Thank you for your time and answer. Sorry I should have been more clear, in my actual log, the subfield and its length may vary. Below is a sample:

_raw
0209MDJXMNZOF0306852024060205
0115300013698746230030658051404101319580514050201060214
0115380013698554359030655053704101319550537060205
0209MDSHRC6H60306851854050215060204
0209MDSIU39OS0306320261060205
0209MPGHON2H60306361705050206060262
0115580013700140787030632036504101319320365060205
0115300013699266920030673054204101319730542060205
0115300013698579543030655264604101319552646060205

Re: How to breakdown TLV (Tag Length Value) format

to4kawa — Tue, 14 Jan 2020 12:12:27 GMT

| makeresults 
| eval _raw="0209MDJXMNZOF0306852024060205
0115300013698746230030658051404101319580514050201060214
0115380013698554359030655053704101319550537060205
0209MDSHRC6H60306851854050215060204
0209MDSIU39OS0306320261060205
0209MPGHON2H60306361705050206060262
0115580013700140787030632036504101319320365060205
0115300013699266920030673054204101319730542060205
0115300013698579543030655264604101319552646060205"
| makemv delim="
" _raw
| stats count by _raw
| table _raw
| rename COMMENT as "this is sample you provide. from here, the logic"
| rex field=_raw "^(?<fn_1>\d\d)(?<fl_1>\d\d)"
| eval sub1=substr(ltrim(_raw,fn_1.fl_1),1,fl_1)
| eval blob_1=fn_1.fl_1.sub1
| eval blob_2=substr(_raw,len(blob_1)+1)
| rex field=blob_2 "^(?<fn_2>\d\d)(?<fl_2>\d\d)"
| eval sub2=substr(blob_2,5,fl_2)
| eval blob_2=fn_2.fl_2.sub2
| eval blob_3=substr(_raw,len(blob_1.blob_2)+1)
| rex field=blob_3 "^(?<fn_3>\d\d)(?<fl_3>\d\d)"
| eval sub3=substr(blob_3,5,fl_3)
| eval blob_3=fn_3.fl_3.sub3
| eval blob_4=substr(_raw,len(blob_1.blob_2.blob_3)+1)
| rex field=blob_4 "^(?<fn_4>\d\d)(?<fl_4>\d\d)"
| eval sub4=substr(blob_4,5,fl_4)
| eval blob_4=fn_4.fl_4.sub4
| eval blob_5=substr(_raw,len(blob_1.blob_2.blob_3.blob_4)+1)
| rex field=blob_5 "^(?<fn_5>\d\d)(?<fl_5>\d\d)"
| eval sub5=substr(blob_5,5,fl_5)
| eval blob_5=fn_5.fl_5.sub5
| foreach fn_*
    [eval {<<FIELD>>} = sub<<MATCHSTR>>]
| fields 0*
| rename * as Subfield_*

HI, @vinayr9
I'm done by forced.

Re: How to breakdown TLV (Tag Length Value) format

vinayr9 — Tue, 14 Jan 2020 15:35:18 GMT

You are the best. Thank you so much.