Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

auto-decode UTF-8 encoded-string

mushkevych
Explorer
‎12-05-2019 02:18 PM

In our system we have 2 pipelines: one via Kafka->Connector->HEC->Splunk, the other DB Connect->Splunk.
Both pipelines are transporting data with the same sourcetype, which is marked with UTF-8 in props.conf: CHARSET=UTF-8.

UTF-8 strings that flow thru DB Connect are shown in Search app in their decoded format:
alt text

While the data flowing via Connector->HEC is still encoded:
alt text

Later on, the encoded values (such as "\u30a2...") are shown in the drop-down filters and so on.

Advise is very appreciated.

Preview file
6 KB
Preview file
5 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎12-06-2019 01:11 PM

Create a macro and put a giant sed command in that and then create a Calculated Field for your sourcetype. For example, here is one that I wrote to do URL decoding:

... | rex field=fieldURLencoded mode=sed "s:%25:%:g s:%20: :g s:%3C:<:g s:%3E:>:g s:%23:#:g s:%7B:{:g s:%7D:}:g s:%7C:\|:g s:%5C:\\\:g s:%5E:\^:g s:%7E:~:g s:%5B:\[:g s:%5D:\]:g s:%60:\`:g s:%3B:;:g s:%2F:/:g s:%3F:\?:g s/%3A/:/g s:%40:@:g s:%3D:=:g s:%26:&:g s:%24:\$:g s:%21:\!:g s:%2A:\*:g s:%22:\":g s:%28:\(:g s:%29:\):g s:%2B:\+:g"
Reply

mushkevych
Explorer
‎12-06-2019 04:47 PM

Thank you @woodcock. it seems as manual UTF-8 decoding function. I am wondering if Splunk has anything in place for this.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-25-2020 02:33 PM

My friend @Anonymous just wrote one and should be posting to splunkbase soon!

0 Karma
Reply

woodcock
Esteemed Legend
‎12-06-2019 06:19 PM

Check SplunkBase.

0 Karma
Reply

DanielP1
Engager
‎07-15-2024 05:08 AM

Hello,

Splunk Cloud does not support "MIME Decoder Add-on for Cisco ESA". Did your colleague publish a decoder? I haven't found anything on Splunkbase.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-15-2024 12:26 PM

Well, this is a rather old thread and Greg hasn't been much online lately. You might get bigger chance of getting a reply if you post your question about an app in a new thread. (possibly linking to this one for reference).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...