Why are some of the fields showing ascii hex value...

sdesigowda · ‎02-07-2018

Using cefutils I am able to get CEF stream data into Splunk. The issue is some of the fields are showing ascii hex values for a string.
Here is an example CEF data:

Thu Feb  8 07:08:10 2018 1/1/e1 CEF:23|XYZ|metadata|5.3.00|4|metadata generation|6|XYZMdataSslIssuerName=Google Internet Authority G2 dpt=63911 XYZMdataSslValidNotBefore=3138303131363038353430395a XYZMdataSslSerialNo=799d1de89c3718b6000000000000000000000000 XYZMdataSslValidNotAfter=3138303431303038343230305a XYZMdataSslCertSigAlgo=2a864886f70d01010b XYZMdataSslCertSubAlgo=2a8648ce3d02010000 XYZMdataSslCertSubKeySize=65 XYZMdataSslServerVersion=771 XYZMdataSslCertSubAltName=*.google.com XYZMdataSslServerCompressionMethod=192 XYZMdataSslServerCipher=49195 XYZMdataSslServerVersionText=TLSv1.2 XYZMdataSslServerSessionId=125 XYZMdataSslIssuer=2f433d55532f4f3d476f6f676c6520496e632f434e3d476f6f676c6520496e7465726e657420417574686f72697479204732 XYZMdataSslCertSubCommonName=*.google.com XYZMdataSslSub=2f433d55532f53543d43616c69666f726e69612f4c3d4d6f756e7461696e20566965772f4f3d476f6f676c6520496e632f434e3d2a2e676f6f676c652e636f6d dst=10.40.21.68 src=216.58.218.206 spt=443

Look into XYZMdataSslIssuer=2f433d55532f4f3d476f6f676c6520496e632f434e3d476f6f676c6520496e7465726e657420417574686f72697479204732.
value for key "XYZMdataSslIssue" is a string. It's showing ASCII values of character of a string. Where do I make a change so that cefutil ingests this value as string? It's just one example. There are other fields which have different values like date, integer etc.

to4kawa · ‎01-26-2020

| makeresults
| eval XYZMdataSslIssuer="2f433d55532f4f3d476f6f676c6520496e632f434e3d476f6f676c6520496e7465726e657420417574686f72697479204732"
| rex field=XYZMdataSslIssuer mode=sed "s/(\w{2})/%\1/g"
| eval XYZMdataSslIssuer=urldecode(XYZMdataSslIssuer)

HEX decode is usefull using rex mode=sed and urldecode()

Why are some of the fields showing ascii hex values for string after I get CEF stream data into splunk using cefutils?

Splunk Answers Content Calendar, June Edition

What You Read The Most: Splunk Lantern’s Most Popular Articles!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Are you a member of the Splunk Community?

Why are some of the fields showing ascii hex values for string after I get CEF stream data into splunk using cefutils?

Splunk Answers Content Calendar, June Edition

What You Read The Most: Splunk Lantern’s Most Popular Articles!

See your relevant APM services, dashboards, and alerts in one place with the updated ...