https://community.splunk.com/t5/Dashboards-Visualizations/auto-decode-UTF-8-encoded-string/m-p/497636#M32581 <P>Create a <CODE>macro</CODE> and put a giant <CODE>sed</CODE> command in that and then create a <CODE>Calculated Field</CODE> for your <CODE>sourcetype</CODE>. For example, here is one that I wrote to do URL decoding:</P> <PRE><CODE>... | rex field=fieldURLencoded mode=sed "s:%25:%:g s:%20: :g s:%3C:&lt;:g s:%3E:&gt;:g s:%23:#:g s:%7B:{:g s:%7D:}:g s:%7C:\|:g s:%5C:\\\:g s:%5E:\^:g s:%7E:~:g s:%5B:\[:g s:%5D:\]:g s:%60:\`:g s:%3B:;:g s:%2F:/:g s:%3F:\?:g s/%3A/:/g s:%40:@:g s:%3D:=:g s:%26:&amp;:g s:%24:\$:g s:%21:\!:g s:%2A:\*:g s:%22:\":g s:%28:\(:g s:%29:\):g s:%2B:\+:g" </CODE></PRE> Fri, 06 Dec 2019 21:11:22 GMT woodcock 2019-12-06T21:11:22Z https://community.splunk.com/t5/Dashboards-Visualizations/auto-decode-UTF-8-encoded-string/m-p/497635#M32580 <P>In our system we have 2 pipelines: one via <EM>Kafka-&gt;Connector-&gt;HEC-&gt;Splunk</EM>, the other <EM>DB Connect-&gt;Splunk</EM>.<BR /> Both pipelines are transporting data with the same sourcetype, which is marked with UTF-8 in <STRONG>props.conf</STRONG>: <CODE>CHARSET=UTF-8</CODE>.</P> <P>UTF-8 strings that flow thru <EM>DB Connect</EM> are shown in Search app in their decoded format:<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8032i10AE10E5DF52BA14/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>While the data flowing via <EM>Connector-&gt;HEC</EM> is still encoded:<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8033i83D48A2FFFA8B9D1/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Later on, the encoded values (such as "\u30a2...") are shown in the drop-down filters and so on.</P> <P>Advise is very appreciated.</P> Thu, 05 Dec 2019 22:18:48 GMT https://community.splunk.com/t5/Dashboards-Visualizations/auto-decode-UTF-8-encoded-string/m-p/497635#M32580 mushkevych 2019-12-05T22:18:48Z https://community.splunk.com/t5/Dashboards-Visualizations/auto-decode-UTF-8-encoded-string/m-p/497636#M32581 <P>Create a <CODE>macro</CODE> and put a giant <CODE>sed</CODE> command in that and then create a <CODE>Calculated Field</CODE> for your <CODE>sourcetype</CODE>. For example, here is one that I wrote to do URL decoding:</P> <PRE><CODE>... | rex field=fieldURLencoded mode=sed "s:%25:%:g s:%20: :g s:%3C:&lt;:g s:%3E:&gt;:g s:%23:#:g s:%7B:{:g s:%7D:}:g s:%7C:\|:g s:%5C:\\\:g s:%5E:\^:g s:%7E:~:g s:%5B:\[:g s:%5D:\]:g s:%60:\`:g s:%3B:;:g s:%2F:/:g s:%3F:\?:g s/%3A/:/g s:%40:@:g s:%3D:=:g s:%26:&amp;:g s:%24:\$:g s:%21:\!:g s:%2A:\*:g s:%22:\":g s:%28:\(:g s:%29:\):g s:%2B:\+:g" </CODE></PRE> Fri, 06 Dec 2019 21:11:22 GMT https://community.splunk.com/t5/Dashboards-Visualizations/auto-decode-UTF-8-encoded-string/m-p/497636#M32581 woodcock 2019-12-06T21:11:22Z https://community.splunk.com/t5/Dashboards-Visualizations/auto-decode-UTF-8-encoded-string/m-p/497637#M32582 <P>Thank you @woodcock. it seems as manual UTF-8 decoding function. I am wondering if Splunk has anything in place for this.</P> Sat, 07 Dec 2019 00:47:04 GMT https://community.splunk.com/t5/Dashboards-Visualizations/auto-decode-UTF-8-encoded-string/m-p/497637#M32582 mushkevych 2019-12-07T00:47:04Z https://community.splunk.com/t5/Dashboards-Visualizations/auto-decode-UTF-8-encoded-string/m-p/497638#M32583 <P>Check SplunkBase.</P> Sat, 07 Dec 2019 02:19:34 GMT https://community.splunk.com/t5/Dashboards-Visualizations/auto-decode-UTF-8-encoded-string/m-p/497638#M32583 woodcock 2019-12-07T02:19:34Z https://community.splunk.com/t5/Dashboards-Visualizations/auto-decode-UTF-8-encoded-string/m-p/506218#M33646 <P>My friend&nbsp;@Anonymous&nbsp;just wrote one and should be posting to splunkbase soon!</P> Thu, 25 Jun 2020 21:33:51 GMT https://community.splunk.com/t5/Dashboards-Visualizations/auto-decode-UTF-8-encoded-string/m-p/506218#M33646 woodcock 2020-06-25T21:33:51Z https://community.splunk.com/t5/Dashboards-Visualizations/auto-decode-UTF-8-encoded-string/m-p/693370#M56784 <P>Hello,</P><P>Splunk Cloud does not support "MIME Decoder Add-on for Cisco ESA". Did your colleague publish a decoder? I haven't found anything on Splunkbase.</P> Mon, 15 Jul 2024 12:08:55 GMT https://community.splunk.com/t5/Dashboards-Visualizations/auto-decode-UTF-8-encoded-string/m-p/693370#M56784 DanielP1 2024-07-15T12:08:55Z https://community.splunk.com/t5/Dashboards-Visualizations/auto-decode-UTF-8-encoded-string/m-p/693397#M56786 <P>Well, this is a rather old thread and Greg hasn't been much online lately. You might get bigger chance of getting a reply if you post your question about an app in a new thread. (possibly linking to this one for reference).</P> Mon, 15 Jul 2024 19:26:44 GMT https://community.splunk.com/t5/Dashboards-Visualizations/auto-decode-UTF-8-encoded-string/m-p/693397#M56786 PickleRick 2024-07-15T19:26:44Z