Re: How to convert _raw with encoded chars (not de...

denissotoacc · ‎05-20-2022

I have the following _raw field in my index:

_raw

Response Headers:

{'Date': 'Fri, 13 May 2022 02:59:34 GMT', 'Content-Type': 'application/json; charset=utf-8'}

So, I realized ' = '. But there is no way to convert that string into a human readable string, like this:

Response Headers:

{'Date': 'Fri, 13 May 2022 02:59:34 GMT', 'Content-Type': 'application/json; charset=utf-8'}

I tried with something like this, without sucess:

| eval myfield = replace(tostring(_raw),"x27","'")

Then I checked if the string contains "x27" and turns out it is not being detected:

| eval exists=if(like(tostring(_raw), "%x27%"), "YES", "NO")

Is there a way to convert that weird string into a human readable string?

somesoni2 · ‎05-20-2022

Give this a try (run anywhere sample, replace everything before eval with your search)

| makeresults | eval _raw="Response Headers:

{&#x27;Date&#x27;: &#x27;Fri, 13 May 2022 02:59:34 GMT&#x27;, &#x27;Content-Type&#x27;: &#x27;application/json; charset=utf-8&#x27;}" | eval _raw=replace(_raw,"\&#x27\;","'")

ITWhisperer · ‎05-20-2022

Does this help?

| eval decoded=replace(_raw,"&#x27;","'")

denissotoacc · ‎05-20-2022

Already tried, no success. It would work if the _raw field is recognized as string, but it is not. I've already tried "tostring(_raw)" also. Nothing changes

How to convert _raw with encoded chars (not detected as string) into a readable string?

eval

field extraction

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Are you a member of the Splunk Community?