Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to loop through data fields and store the result in a different data field?

ashishlal82
Explorer
‎06-23-2016 11:22 AM

Hi,
I am trying to find a solution to the below problem:

HASH (Data field name)
001300A5323BF6C1812B686C1C896857D4CF85C676E48F451D8CB7B9A8F0AFE0

002A2F5CFCF551F27EF4637480C60FC7CEEB53ADE3233F8645D89FFDB39A3A58

00330A0E0EB1DBB6EE84997963F8E15C7C15C1DF787F1C7F109609D7B31BD35C

005ECF2A6C557DDCEC50E8BF5627BA9C

The above field contains HASH values
Question : how to I loop through the above HASH values and weed out if a particular value is sha256- or md5. I researched an sha256 value contains 64digits and MD5 32 digits. So in the case above. If a field value is 64 digits I would like create data field named Hash type and corresponding value.

Output
hash type hash
sha256 001300A5323BF6C1812B686C1C896857D4CF85C676E48F451D8CB7B9A8F0AFE0
sha256 002A2F5CFCF551F27EF4637480C60FC7CEEB53ADE3233F8645D89FFDB39A3A58
sha256 00330A0E0EB1DBB6EE84997963F8E15C7C15C1DF787F1C7F109609D7B31BD35C
md5 005ECF2A6C557DDCEC50E8BF5627BA9C

I have tried using eval and case and len funtions ,but then I am not sure how to do I loop through the fields one by one and find the length, how do I set my pointer?

Any suggestions?

Tags (4)
0 Karma
Reply

somesoni2
Revered Legend
‎06-23-2016 11:48 AM

Is has a multivalued field (one event contains multiple values)?

0 Karma
Reply

ashishlal82
Explorer
‎06-23-2016 11:56 AM

its not a multivalued field. One event contains a unique value and after filtering my data from bigfix, splunk I identified these hashes as "invalid" and my goal is weed out by counting char length and check if its sha256 or md5.
I tried exactly the same query you wrote and that didn't work.

0 Karma
Reply

somesoni2
Revered Legend
‎06-23-2016 11:58 AM

Check the field names as they are case-sensitive.

0 Karma
Reply

ashishlal82
Explorer
‎06-23-2016 12:07 PM

heres me query

index=res sourcetype=res_auth_file_hashes| stats values(HASH) by HASH_TYPE | where HASH_TYPE!="SHA-256"|eval HASH_TYP= case(len(HASH)=64,"sha",len(HASH)=32,"md5")

And current output
HASH_TYPE values(HASH)↕
INVALID 001300A5323BF6C1812B686C1C896857D4CF85C676E48F451D8CB7B9A8F0AFE0
002A2F5CFCF551F27EF4637480C60FC7CEEB53ADE3233F8645D89FFDB39A3A58
00330A0E0EB1DBB6EE84997963F8E15C7C15C1DF787F1C7F109609D7B31BD35C
005ECF2A6C557DDCEC50E8BF5627BA9C
007BEFA1DC79145968EB2277A08AA0CC2561C952B138E015301B832B25A7DA3C

0 Karma
Reply

somesoni2
Revered Legend
‎06-23-2016 12:08 PM

The HASH_TYPE is not set at stats/where command. Move the eval - HASH_TYPE command to before stats

0 Karma
Reply

ashishlal82
Explorer
‎06-23-2016 12:32 PM

Sorry, I did not understand your answer. And not sure how would moving eval -HASH_TYPE command to before stats would make a difference.

0 Karma
Reply

somesoni2
Revered Legend
‎06-23-2016 12:35 PM 
index=res sourcetype=res_auth_file_hashes |eval HASH_TYPE= case(len(HASH)=64,"sha",len(HASH)=32,"md5")| table HASH HASH_TYPE | where HASH_TYPE!="SHA-256"
0 Karma
Reply

ashishlal82
Explorer
‎06-23-2016 12:39 PM

got it thanks

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎06-23-2016 11:46 AM

Try

Base search | eval type= case(len(hash)=64,"sha",len(hash)=32,"md5")

------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...