All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to automatically decode Cisco Ironport UTF-8?

ravikirantaleka
Explorer
‎08-16-2022 12:46 AM

Hello,

I am importing Cisco Ironport data into Splunk, field "subject" contains UTF-8 encoded data with jumbled characters. Is there a way to automatically decode the subject to a string format? Now, I am using Powershell and CyberChef application to decode manually.

Kindly let me know how to solve this issue.

Regards,

RK

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-16-2022 01:01 AM

Hi @ravikirantaleka,

which TA are you using to parse the Cisco Ironport logs?

Did you tried with Splunk Add-On for Cisco ESA (https://splunkbase.splunk.com/app/1761/)?

It should contain all the configuration to parse the Cisco Ironport logs.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

ravikirantaleka
Explorer
‎08-16-2022 01:25 AM

Hi @gcusello,

I am using ESA TA that you mentioned, the normal string is parsed well. However, URL, Chinese, and not English characters are still displayed in base64 format. Now, I am wondering if Cisco Ironport has to have some configuration at their end to decode the characters before sending data into Splunk.

What do you think?

//RK

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-16-2022 07:21 AM

Hi @ravikirantaleka,

it shouldn't have, buit i don't know your local configurations.

in this case the only whay is to try with different charsets.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

ravikirantaleka
Explorer
‎08-16-2022 11:06 PM

Hi @gcusello,

Looks like it's a known bug at Cisco Ironport.

Cisco Bug: CSCun16129 - Translate subjects from base64 to human-readable format for export

Thank you for your input

//RK

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-17-2022 12:10 AM

Hi @ravikirantaleka,

see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-16-2022 01:01 AM

Hi @ravikirantaleka,

which TA are you using to parse the Cisco Ironport logs?

Did you tried with Splunk Add-On for Cisco ESA (https://splunkbase.splunk.com/app/1761/)?

It should contain all the configuration to parse the Cisco Ironport logs.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...