Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to breakdown TLV (Tag Length Value) format

vinayr9
New Member
‎01-10-2020 11:03 AM

I've a field in TLV format, how can I break it down and display in a readable format

data in TLV format: 0104ABCD0203XYZ0502MQ

How can I break it down like below:

01 - Subfield 01
04 - Lenght of Subfield 01
ABCD - Content of Subfield 01

02 - Subfield 02
03 - Length of Subfield 02
XYZ - Content of Subfield 02

05 - Subfield 05
02 - Lenght of Subfield 05
MQ - Content of Subfield 05

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎01-14-2020 04:12 AM 
| makeresults 
| eval _raw="0209MDJXMNZOF0306852024060205
0115300013698746230030658051404101319580514050201060214
0115380013698554359030655053704101319550537060205
0209MDSHRC6H60306851854050215060204
0209MDSIU39OS0306320261060205
0209MPGHON2H60306361705050206060262
0115580013700140787030632036504101319320365060205
0115300013699266920030673054204101319730542060205
0115300013698579543030655264604101319552646060205"
| makemv delim="
" _raw
| stats count by _raw
| table _raw
| rename COMMENT as "this is sample you provide. from here, the logic"
| rex field=_raw "^(?<fn_1>\d\d)(?<fl_1>\d\d)"
| eval sub1=substr(ltrim(_raw,fn_1.fl_1),1,fl_1)
| eval blob_1=fn_1.fl_1.sub1
| eval blob_2=substr(_raw,len(blob_1)+1)
| rex field=blob_2 "^(?<fn_2>\d\d)(?<fl_2>\d\d)"
| eval sub2=substr(blob_2,5,fl_2)
| eval blob_2=fn_2.fl_2.sub2
| eval blob_3=substr(_raw,len(blob_1.blob_2)+1)
| rex field=blob_3 "^(?<fn_3>\d\d)(?<fl_3>\d\d)"
| eval sub3=substr(blob_3,5,fl_3)
| eval blob_3=fn_3.fl_3.sub3
| eval blob_4=substr(_raw,len(blob_1.blob_2.blob_3)+1)
| rex field=blob_4 "^(?<fn_4>\d\d)(?<fl_4>\d\d)"
| eval sub4=substr(blob_4,5,fl_4)
| eval blob_4=fn_4.fl_4.sub4
| eval blob_5=substr(_raw,len(blob_1.blob_2.blob_3.blob_4)+1)
| rex field=blob_5 "^(?<fn_5>\d\d)(?<fl_5>\d\d)"
| eval sub5=substr(blob_5,5,fl_5)
| eval blob_5=fn_5.fl_5.sub5
| foreach fn_*
    [eval {<<FIELD>>} = sub<<MATCHSTR>>]
| fields 0*
| rename * as Subfield_*

HI, @vinayr9
I'm done by forced.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎01-14-2020 04:12 AM 
| makeresults 
| eval _raw="0209MDJXMNZOF0306852024060205
0115300013698746230030658051404101319580514050201060214
0115380013698554359030655053704101319550537060205
0209MDSHRC6H60306851854050215060204
0209MDSIU39OS0306320261060205
0209MPGHON2H60306361705050206060262
0115580013700140787030632036504101319320365060205
0115300013699266920030673054204101319730542060205
0115300013698579543030655264604101319552646060205"
| makemv delim="
" _raw
| stats count by _raw
| table _raw
| rename COMMENT as "this is sample you provide. from here, the logic"
| rex field=_raw "^(?<fn_1>\d\d)(?<fl_1>\d\d)"
| eval sub1=substr(ltrim(_raw,fn_1.fl_1),1,fl_1)
| eval blob_1=fn_1.fl_1.sub1
| eval blob_2=substr(_raw,len(blob_1)+1)
| rex field=blob_2 "^(?<fn_2>\d\d)(?<fl_2>\d\d)"
| eval sub2=substr(blob_2,5,fl_2)
| eval blob_2=fn_2.fl_2.sub2
| eval blob_3=substr(_raw,len(blob_1.blob_2)+1)
| rex field=blob_3 "^(?<fn_3>\d\d)(?<fl_3>\d\d)"
| eval sub3=substr(blob_3,5,fl_3)
| eval blob_3=fn_3.fl_3.sub3
| eval blob_4=substr(_raw,len(blob_1.blob_2.blob_3)+1)
| rex field=blob_4 "^(?<fn_4>\d\d)(?<fl_4>\d\d)"
| eval sub4=substr(blob_4,5,fl_4)
| eval blob_4=fn_4.fl_4.sub4
| eval blob_5=substr(_raw,len(blob_1.blob_2.blob_3.blob_4)+1)
| rex field=blob_5 "^(?<fn_5>\d\d)(?<fl_5>\d\d)"
| eval sub5=substr(blob_5,5,fl_5)
| eval blob_5=fn_5.fl_5.sub5
| foreach fn_*
    [eval {<<FIELD>>} = sub<<MATCHSTR>>]
| fields 0*
| rename * as Subfield_*

HI, @vinayr9
I'm done by forced.

0 Karma
Reply
Solved! Jump to solution

vinayr9
New Member
‎01-14-2020 07:35 AM

You are the best. Thank you so much.

0 Karma
Reply
Solved! Jump to solution

vinayr9
New Member
‎01-13-2020 11:31 AM

Thank you for your time and answer. Sorry I should have been more clear, in my actual log, the subfield and its length may vary. Below is a sample:

_raw
0209MDJXMNZOF0306852024060205
0115300013698746230030658051404101319580514050201060214
0115380013698554359030655053704101319550537060205
0209MDSHRC6H60306851854050215060204
0209MDSIU39OS0306320261060205
0209MPGHON2H60306361705050206060262
0115580013700140787030632036504101319320365060205
0115300013699266920030673054204101319730542060205
0115300013698579543030655264604101319552646060205

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎01-10-2020 04:29 PM 
| makeresults
| eval _raw="0104ABCD0203XYZ0502MQ"
| rex "(?<sub1>01)(?<sub1_len>\d+)(?<sub1_msg>.+?(?=02))(?<sub2>02)(?<sub2_len>\d+)(?<sub2_msg>.+?(?=05))(?<sub5>05)(?<sub5_len>\d+)(?<sub5_msg>.+)"

If it is not an actual log, I don't know whether it is working.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top