Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are some of the fields showing ascii hex values for string after I get CEF stream data into splunk using cefutils?

sdesigowda
New Member
‎02-07-2018 03:10 PM

Using cefutils I am able to get CEF stream data into Splunk. The issue is some of the fields are showing ascii hex values for a string.
Here is an example CEF data:

Thu Feb  8 07:08:10 2018 1/1/e1 CEF:23|XYZ|metadata|5.3.00|4|metadata generation|6|XYZMdataSslIssuerName=Google Internet Authority G2 dpt=63911 XYZMdataSslValidNotBefore=3138303131363038353430395a XYZMdataSslSerialNo=799d1de89c3718b6000000000000000000000000 XYZMdataSslValidNotAfter=3138303431303038343230305a XYZMdataSslCertSigAlgo=2a864886f70d01010b XYZMdataSslCertSubAlgo=2a8648ce3d02010000 XYZMdataSslCertSubKeySize=65 XYZMdataSslServerVersion=771 XYZMdataSslCertSubAltName=*.google.com XYZMdataSslServerCompressionMethod=192 XYZMdataSslServerCipher=49195 XYZMdataSslServerVersionText=TLSv1.2 XYZMdataSslServerSessionId=125 XYZMdataSslIssuer=2f433d55532f4f3d476f6f676c6520496e632f434e3d476f6f676c6520496e7465726e657420417574686f72697479204732 XYZMdataSslCertSubCommonName=*.google.com XYZMdataSslSub=2f433d55532f53543d43616c69666f726e69612f4c3d4d6f756e7461696e20566965772f4f3d476f6f676c6520496e632f434e3d2a2e676f6f676c652e636f6d dst=10.40.21.68 src=216.58.218.206 spt=443

Look into XYZMdataSslIssuer=2f433d55532f4f3d476f6f676c6520496e632f434e3d476f6f676c6520496e7465726e657420417574686f72697479204732.
value for key "XYZMdataSslIssue" is a string. It's showing ASCII values of character of a string. Where do I make a change so that cefutil ingests this value as string? It's just one example. There are other fields which have different values like date, integer etc.

0 Karma
Reply

to4kawa
Ultra Champion
‎01-26-2020 07:06 PM 
| makeresults
| eval XYZMdataSslIssuer="2f433d55532f4f3d476f6f676c6520496e632f434e3d476f6f676c6520496e7465726e657420417574686f72697479204732"
| rex field=XYZMdataSslIssuer mode=sed "s/(\w{2})/%\1/g"
| eval XYZMdataSslIssuer=urldecode(XYZMdataSslIssuer)

HEX decode is usefull using rex mode=sed and urldecode()

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...