Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there any way to decode an encoded html values saved in a log file?

Boopalan
New Member
‎04-05-2019 02:41 AM

I want decode all the encoded html values present in an log file while indexing itself.
Is there any way to do it ?

0 Karma
Reply

sampathramtvnr
New Member
‎12-17-2019 01:51 AM

urldecode works for decoding the values of URL addresses and strings
Try the below examples:

with url :
| makeresults

| eval field1= "f%23has%2Bofh%20a"
| eval field1 = urldecode(field1)

with string:
For example you already have field value then,
| rex mode=sed field=field1 "s/ / /g"
| eval a=urldecode(field1)

0 Karma
Reply

pkeenan87
Communicator
‎04-08-2019 07:08 AM

You could try and decode it at search time with the urldecode eval function:

https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/TextFunctions

0 Karma
Reply

Boopalan
New Member
‎04-08-2019 07:20 AM

@pkeenan87, urldecode function is not working as expected. I tried doing that but that is working only for decoding values of url addresses not for an string containing ASCII encoded values in html.

0 Karma
Reply

dmarling
Builder
‎04-08-2019 08:55 AM

Urldecode decodes with the url encoding that starts with a precentage sign. You can manipulate the data a bit to force it to work. Using the most recent example by @Boopalan I got it to work, but I had to manually account for the HTML Encoded Line Feed character

Run anywhere example:

| makeresults count=1
| eval data="- 
--  Start of getter Meods
retiremevice.io.ReturnCd: 0
retiremevice.io.RtSCd:"
| eval test=data
| rex mode=sed field=test "s/
/\n/g"
| rex mode=sed field=test "s/&#x?([^\;]+);/%\1/g"
| eval test2=urldecode(test)

It makes it look like this when it runs:

- 
--  Start of getter Meods
retiremevice.io.ReturnCd: 0
retiremevice.io.RtSCd:
If this comment/answer was helpful, please up vote it. Thank you.
Reply

Boopalan
New Member
‎04-08-2019 02:58 AM

Hey Splunk folks,
Is there any possible way/ideas to do that?

0 Karma
Reply

niketn
Legend
‎04-08-2019 05:57 AM

@Boopalan any example from the log where html values are encoded? Which kind of encoding is in place? Also are these specific technology logs or are they custom logs? Please mock/anonymize any sensitive data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

Boopalan
New Member
‎04-08-2019 06:50 AM

@niketnilay, PFB sample of encoded html values in the log file. 

%[datetime] [Default: 0] [] [INFO ] [*] - 
--  Start of getter Meods
retiremevice.io.ReturnCd: 0
retiremevice.io.RtSCd:
0 Karma
Reply

niketn
Legend
‎04-08-2019 07:55 AM

@Boopalan, for the above text what is the expected decoded characters? I am not sure if this looks like either encoding or escaping of special characters. Would need to wait for others to comment. Or more details would help us assist you better!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...