- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to save an eval urldecode as a field in Splunk...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to save this search below as a field for my user to be able to see on their "selected fields" during their new search and be able to click on it to see the pre-created reports.
I've read the Splunk Answers post about "Save an 'eval'-based field extraction" which points me to setting up a macro.... I would like to know if this is the best route or is there different advice for handling this.... maybe reworking my thinking all together.
Search string
index=test1 | transaction session_id | eval user_agent_string_decoded=urldecode(user_agent_string_encoded)
1)The logged event:
Mozilla%2f4.0%20(compatible%3b%20MSIE%207.0%3b%20Windows%20NT%206.1%3b%20WOW64%3b%20Trident%2f7.0%3b%20SLCC2%3b%20.NET%20CLR%202.0.50727%3b%20.NET%20CLR%203.5.30729%3b%20.NET%20CLR%203.0.30729%3b%20Media%20Center%20PC%206.0%3b%20.NET4.0E%3b%20InfoPath.3%3b%20.NET4.0C).
2) I capture this into the field user_agent_string_encoded)
3) I decode it using the above search string
Thank You,
Sean
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Setting up a macro is fine if you dont need to do the decoding every time you search. You can use the macro as needed.
If you wanted this decoding to happen automatically every time someone searches that sourcetype you can add this to your props.conf on your search head. You should be able to apply the setting with out restartng by loading the debug/refresh endpoint on your search head
your-splunk-server.net:8000/en-US/debug/refresh
[theSourceType]
EVAL-user_agent_string_decoded = urldecode(user_agent_string_encoded)
http://docs.splunk.com/Documentation/Splunk/6.0.6/Knowledge/definecalcfields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Setting up a macro is fine if you dont need to do the decoding every time you search. You can use the macro as needed.
If you wanted this decoding to happen automatically every time someone searches that sourcetype you can add this to your props.conf on your search head. You should be able to apply the setting with out restartng by loading the debug/refresh endpoint on your search head
your-splunk-server.net:8000/en-US/debug/refresh
[theSourceType]
EVAL-user_agent_string_decoded = urldecode(user_agent_string_encoded)
http://docs.splunk.com/Documentation/Splunk/6.0.6/Knowledge/definecalcfields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was working to this direction right after I asked the question. Your comment helped me validate my direction.
Thank You!
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
