I have a hex value that i need to convert to ascii. is there a way to do this in splunk?
string-value=0x4c617374206f627365727665642076616c756520666f7220526f6c6c6261636b205472616e73616374696f6e73202025203a2031330a20204f627365727665642074696d653a204175672031392c203230313420323a34313a333720504d0a2020526f6c6c6261636b205472616e73616374696f6e73203a20352e320a20205472616e73616374696f6e7320203a2035382e340
convert to:
Last observed value for Rollback Transactions % : 13
Observed time: Aug 19, 2014 2:41:37 PM
Rollback Transactions : 5.2
Transactions : 58.4
| stats count
| eval value="0x4c617374206f627365727665642076616c756520666f7220526f6c6c6261636b205472616e73616374696f6e73202025203a2031330a20204f627365727665642074696d653a204175672031392c203230313420323a34313a333720504d0a2020526f6c6c6261636b205472616e73616374696f6e73203a20352e320a20205472616e73616374696f6e7320203a2035382e340"
| eval ascii=urldecode(ltrim(replace(value,"([a-f0-9]{2})","%\1"),"0x"))
One liner.
This worked very well for me, thanks. One modification though if your HEX value may contain upper and lower case is to add A-F to the regex.
eval ascii=urldecode(ltrim(replace(value,"([a-fA-F0-9]{2})","%\1"),"0x"))
Try this app which provide a command to decode Hex.
I initially proposed the following answer from a misunderstanding of the tostring function, and therefore the following answer is not correct. The following function converts a number (not a hex string) to hex. It does not convert a hex value to anything. The answer below is being left here to allow others to learn the true purpose of the function, and to realize that it does not convert hex to text.
The answer was:
| eval y=tostring(x,"hex")
http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/CommonEvalFunctions
tostring(x,"hex") will convert a number to a hex string. Op wants to convert a hex string to ASCII. This solution will not work.
I realized that just now as I attempted to verify the solution. Surely there must be another simple solution using only eval. searching ..
I needed to do this for some work I had awhile ago and was utterly unable to find anything that worked using just eval. I realize my solution is pretty hacky.
The layout of the function cited above implies that it takes something formatted as a hex and converts it to an ascii string value. As you noted, it actually converts into hex. I am making a feature request. This is surely a really simple function for Splunk.
One way you could convert Hex to ASCII is using eval's urldecode function.
| rex mode=sed field=yourField "s/([0-9A-Fa-f]{2})/%\1/g" | eval yourField=urldecode(substr(yourField,3))
The "rex" will add a "%" in front of every second character in the hex string, which allows the "urldecode" to interperate them as hex encoded values. The substr is to chop off the leading "%0x" from the hex string.
What version as you all using this option does not work for me. Trying to convert eStreamer packet(hex) to their ascii equivalent I get no output in my table for that value.
Hi.Could you please tell the ways that you resolved this..I am also trying to convert eStreamer packet to their ascii.
It would be great if you could help me.
here's what I used to decode eStreamer packet data (assuming your packet field is named packet):
your search for packet | rex mode=sed field=packet "s/([0-9A-Fa-f]{2})/%\1/g" | rex mode=sed field=packet "s/%[890ABCDEDFabcdef][\d\w]/-/g" | eval packet_ascii=urldecode(packet)
I had to replace any non-ASCII character with dashes so that urldecode does not fail. No need for the substract function either in this case. I hope that helps 🙂
I created a macro based off of that until Splunk can bring us this feature:
hex2ascii(2)
eval hex_url=$fieldname_hex$ | rex mode=sed field=hex_url "s/([0-9A-Fa-f]{2})/%\1/g" | eval $fieldname_ascii$ =urldecode(substr(hex_url,3))
It works great.
Hi,
I am trying to convert estreamer pcap which is hex to ascii,I am trying to the same as you have explained..But no luck,I am not getting result.Could you please help me .
Thanks in advance
The urldecode function has issues with certain characters, so many of them need to be escaped (specifically any with hex starting with 0, 1, 8, 9, or any letter...). I built this eval statement that can be used as a calculated field:
urldecode(replace(replace(substr(packet, -packet_len*2), "([A-Fa-f0-9][\d\w])", "%\1"), "%[\D0-18-9]\w", "."))
I don't know of any built-in Hex2Ascii conversion... but I see at least two ways of achieving this. First, you could build a large-ish SED expression that converts each byte into a character at index time... second, you could write a custom search command that does just that at search time, using (probably) readily available library methods in Python that do the conversion for you.