Eval and rex to props.comf

Splunk_rocks · ‎05-02-2018

Just looking some help to construct props file for below search statement.

| rex max_match=10 field=violation_details "(?[^<]+)" | base64 field=cookie_value action=decode |

mhoogcarspel_sp · ‎05-02-2018

The rex part you can do with a REPORT and a MV_ADD = true in the transforms I think, however the base64 command is another question, as you can't call commands in props/transforms.

I think you would either have to still have the base64 in your search, or thinking outside of the box a bit:
You could implement a base64 lookup as an external script lookup, although I don't know what the limits are of the size that you can input (i.e. this probably won't work for big base64 blobs)

Splunk_rocks · ‎05-02-2018

Thanks for the update, thats what i feel but just thought of double check

cpetterborg · ‎05-02-2018

Are you trying to get the base64 encoded field decoded through the props.confconfiguration? If so, this can't be done, there is no method of doing the decoding within the props.conf file. You can extract the field, but it will be in the encoded state, not decoded.

Splunk_rocks · ‎05-02-2018

| rex max_match=10 field=violation_details "(?[^<]+)" | base64 field=cookie_value action=decode |

Splunk_rocks · ‎05-02-2018

missing filed info so pasted here ..Looks like field=violation_details ""(?)

FrankVl · ‎05-02-2018

put your search code in as code (use the 101010 button, or surround with ```).

Eval and rex to props.comf

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases