Re: How to convert _raw with encoded chars (not de...

denissotoacc · ‎05-20-2022

I have the following _raw field in my index:

_raw

Response Headers:

{'Date': 'Fri, 13 May 2022 02:59:34 GMT', 'Content-Type': 'application/json; charset=utf-8'}

So, I realized ' = '. But there is no way to convert that string into a human readable string, like this:

Response Headers:

{'Date': 'Fri, 13 May 2022 02:59:34 GMT', 'Content-Type': 'application/json; charset=utf-8'}

I tried with something like this, without sucess:

| eval myfield = replace(tostring(_raw),"x27","'")

Then I checked if the string contains "x27" and turns out it is not being detected:

| eval exists=if(like(tostring(_raw), "%x27%"), "YES", "NO")

Is there a way to convert that weird string into a human readable string?

somesoni2 · ‎05-20-2022

Give this a try (run anywhere sample, replace everything before eval with your search)

| makeresults | eval _raw="Response Headers:

{&#x27;Date&#x27;: &#x27;Fri, 13 May 2022 02:59:34 GMT&#x27;, &#x27;Content-Type&#x27;: &#x27;application/json; charset=utf-8&#x27;}" | eval _raw=replace(_raw,"\&#x27\;","'")

ITWhisperer · ‎05-20-2022

Does this help?

| eval decoded=replace(_raw,"&#x27;","'")

denissotoacc · ‎05-20-2022

Already tried, no success. It would work if the _raw field is recognized as string, but it is not. I've already tried "tostring(_raw)" also. Nothing changes

How to convert _raw with encoded chars (not detected as string) into a readable string?

eval

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation