Splunk Search

Phish tank and Cisco ASA Logs

Explorer

Hi Guys ,

I am trying to Pull full URL From cisco ASA Logs and feed it into Phishing Dashboard. I have two problems

  1. I manage to apply Regex on cisco ASA URL but output is converting / to %2

index = * 304001 | rex field=_raw "Accessed URL \d+.\d+.\d+.\d+:(?\w+://$)"

*out put is*
http%3A%2F%2Fanswers.splunk.com%2Fanswers%2F52995%2Fasa-accessed-url-log

  1. how i will input that value in Phishing dashboard under Enter URL Field.

I would really appreciate Help

SplunkTrust
SplunkTrust

Try using the urldecode function in the eval command. Add this to your search:

| eval url=urldecode(url)
0 Karma