Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

splunking hex-based log events

highiqboy
Explorer
‎10-02-2010 04:16 PM

I have log files from a custom app we wrote that is entirely in hex.

To splunk it, I understand I might be able to create a custom command that converts hex-to-ascii and then pipe to it at search time and then pipe again to "search some ascii terms"

Could I also, though, create a custom hex-to-ascii module or component and insert it into pipeline.xml after input step and before the indexing step? I believe that approach was supported in Splunk v2.x or maybe it was v3.x.

Also, does that component need to be written in C/C++ or can it be a script instead?

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-03-2010 03:54 PM

You can not do the conversion at search time. Data presented to Splunk at index time must be text data, as Splunk fundamentally indexes text.

There is currently (4.1.5) no support for creating your own pipeline to insert between the file monitor and the rest of the Splunk indexing queue. The recommended solution currently is either:

  • Preprocess your binary data and write it to text files, and provide the files to Splunk via either the monitor or batch inputs.
  • Create your own scripted input that does whatever it needs to do to generate text output and writes it to standard output. It does not matter what this is written in. Splunk will simply call the program and index whatever comes from its standard output stream. If you are trying to convert files,

Unfortunately both solutions have the disadvantage that you will have to code all file-tracking logic on your own in your program, rather than being able to use the Splunk file input monitor to do this.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...