Splunk Search

How to convert Hex to Ascii in Splunk?

danielrusso1
Path Finder

I have a hex value that i need to convert to ascii. is there a way to do this in splunk?

string-value=0x4c617374206f627365727665642076616c756520666f7220526f6c6c6261636b205472616e73616374696f6e73202025203a2031330a20204f627365727665642074696d653a204175672031392c203230313420323a34313a333720504d0a2020526f6c6c6261636b205472616e73616374696f6e73203a20352e320a20205472616e73616374696f6e7320203a2035382e340

convert to:

Last observed value for Rollback Transactions % : 13
Observed time: Aug 19, 2014 2:41:37 PM
Rollback Transactions : 5.2
Transactions : 58.4

Tags (2)

to4kawa
Ultra Champion
| stats count 
| eval value="0x4c617374206f627365727665642076616c756520666f7220526f6c6c6261636b205472616e73616374696f6e73202025203a2031330a20204f627365727665642074696d653a204175672031392c203230313420323a34313a333720504d0a2020526f6c6c6261636b205472616e73616374696f6e73203a20352e320a20205472616e73616374696f6e7320203a2035382e340" 
| eval ascii=urldecode(ltrim(replace(value,"([a-f0-9]{2})","%\1"),"0x"))

One liner.

dave_null
Path Finder

This worked very well for me, thanks. One modification though if your HEX value may contain upper and lower case is to add A-F to the regex.

 

eval ascii=urldecode(ltrim(replace(value,"([a-fA-F0-9]{2})","%\1"),"0x"))

 

0 Karma

bfernandez
Communicator

Try this app which provide a command to decode Hex.

DECRYPT APP

0 Karma

landen99
Motivator

I initially proposed the following answer from a misunderstanding of the tostring function, and therefore the following answer is not correct. The following function converts a number (not a hex string) to hex. It does not convert a hex value to anything. The answer below is being left here to allow others to learn the true purpose of the function, and to realize that it does not convert hex to text.


The answer was:

| eval y=tostring(x,"hex")

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/CommonEvalFunctions

0 Karma

curtisb1024
Path Finder

tostring(x,"hex") will convert a number to a hex string. Op wants to convert a hex string to ASCII. This solution will not work.

0 Karma

landen99
Motivator

I realized that just now as I attempted to verify the solution. Surely there must be another simple solution using only eval. searching ..

0 Karma

curtisb1024
Path Finder

I needed to do this for some work I had awhile ago and was utterly unable to find anything that worked using just eval. I realize my solution is pretty hacky.

0 Karma

landen99
Motivator

The layout of the function cited above implies that it takes something formatted as a hex and converts it to an ascii string value. As you noted, it actually converts into hex. I am making a feature request. This is surely a really simple function for Splunk.

0 Karma

curtisb1024
Path Finder

One way you could convert Hex to ASCII is using eval's urldecode function.

| rex mode=sed field=yourField "s/([0-9A-Fa-f]{2})/%\1/g" | eval yourField=urldecode(substr(yourField,3))

The "rex" will add a "%" in front of every second character in the hex string, which allows the "urldecode" to interperate them as hex encoded values. The substr is to chop off the leading "%0x" from the hex string.

dc5553
Explorer

What version as you all using this option does not work for me. Trying to convert eStreamer packet(hex) to their ascii equivalent I get no output in my table for that value.

0 Karma

sanhema
New Member

Hi.Could you please tell the ways that you resolved this..I am also trying to convert eStreamer packet to their ascii.
It would be great if you could help me.

0 Karma

arandriamanohis
Engager

here's what I used to decode eStreamer packet data (assuming your packet field is named packet):

your search for packet | rex mode=sed field=packet "s/([0-9A-Fa-f]{2})/%\1/g" | rex mode=sed field=packet "s/%[890ABCDEDFabcdef][\d\w]/-/g" | eval packet_ascii=urldecode(packet)

I had to replace any non-ASCII character with dashes so that urldecode does not fail. No need for the substract function either in this case. I hope that helps 🙂

0 Karma

landen99
Motivator

I created a macro based off of that until Splunk can bring us this feature:
hex2ascii(2)

eval hex_url=$fieldname_hex$   | rex mode=sed field=hex_url "s/([0-9A-Fa-f]{2})/%\1/g"   | eval $fieldname_ascii$ =urldecode(substr(hex_url,3))

It works great.

sanhema
New Member

Hi,

I am trying to convert estreamer pcap which is hex to ascii,I am trying to the same as you have explained..But no luck,I am not getting result.Could you please help me .

Thanks in advance

0 Karma

jakewalter
Explorer

The urldecode function has issues with certain characters, so many of them need to be escaped (specifically any with hex starting with 0, 1, 8, 9, or any letter...). I built this eval statement that can be used as a calculated field:

urldecode(replace(replace(substr(packet, -packet_len*2), "([A-Fa-f0-9][\d\w])", "%\1"), "%[\D0-18-9]\w", "."))

martin_mueller
SplunkTrust
SplunkTrust

I don't know of any built-in Hex2Ascii conversion... but I see at least two ways of achieving this. First, you could build a large-ish SED expression that converts each byte into a character at index time... second, you could write a custom search command that does just that at search time, using (probably) readily available library methods in Python that do the conversion for you.