Hello,
I am importing Cisco Ironport data into Splunk, field "subject" contains UTF-8 encoded data with jumbled characters. Is there a way to automatically decode the subject to a string format? Now, I am using Powershell and CyberChef application to decode manually.
Kindly let me know how to solve this issue.
Regards,
RK
Hi @ravikirantaleka,
which TA are you using to parse the Cisco Ironport logs?
Did you tried with Splunk Add-On for Cisco ESA (https://splunkbase.splunk.com/app/1761/)?
It should contain all the configuration to parse the Cisco Ironport logs.
Ciao.
Giuseppe
Hi @gcusello,
I am using ESA TA that you mentioned, the normal string is parsed well. However, URL, Chinese, and not English characters are still displayed in base64 format. Now, I am wondering if Cisco Ironport has to have some configuration at their end to decode the characters before sending data into Splunk.
What do you think?
//RK
Hi @ravikirantaleka,
it shouldn't have, buit i don't know your local configurations.
in this case the only whay is to try with different charsets.
Ciao.
Giuseppe
Hi @gcusello,
Looks like it's a known bug at Cisco Ironport.
Cisco Bug: CSCun16129 - Translate subjects from base64 to human-readable format for export
Thank you for your input
//RK
Hi @ravikirantaleka,
see next time!
Please accept one answer for the other people of Community
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
Hi @ravikirantaleka,
which TA are you using to parse the Cisco Ironport logs?
Did you tried with Splunk Add-On for Cisco ESA (https://splunkbase.splunk.com/app/1761/)?
It should contain all the configuration to parse the Cisco Ironport logs.
Ciao.
Giuseppe