Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

"Q" Encoding

olivier_ma
Explorer
‎08-29-2017 01:21 AM

Hello,

I have a field which contains values encoded in "Q" (I just discovered this encoding type : RFC 1522). It seems to be used a lot in email logs.

I wasn't able to find any commands that helps to convert to a 'readable' string.

Any help, idea, suggestion would be appreciated in order to convert these values (by Splunk commands or by fields extractions processs).

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

knielsen
Contributor
‎08-29-2017 05:45 AM

Hi,

I took a little stupid test message "Why is a Q encoded string (random text <>)?", tried an online Q encoder to encode this to "Why_is_a_Q_encoded_string_=28random_text_=3C=3E=29=3F" and could decode this in Splunk with 2 rex commands:

| makeresults | eval input="Why_is_a_Q_encoded_string_=28random_text_=3C=3E=29=3F" | rex field=input mode=sed "s/=(..)/%\1/g" | rex field=input mode=sed "s/_/ /g" | eval output=urldecode(input)

Not sure if this covers the whole spec, test it out with your real data.

Hth,
-Kai.

edit: actually, this looks much nicer:

| makeresults | eval input="Why_is_a_Q_encoded_string_=28random_text_=3C=3E=29=3F" | eval output=urldecode(replace(replace(input,"=","%"),"_","%20"))

View solution in original post

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎08-29-2017 07:44 AM

An oldie one ; - )

alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎08-29-2017 06:56 AM

Can you please give us an example of these "Q" values? maybe a snapshot...

0 Karma
Reply
Solved! Jump to solution
Solution

knielsen
Contributor
‎08-29-2017 05:45 AM

Hi,

I took a little stupid test message "Why is a Q encoded string (random text <>)?", tried an online Q encoder to encode this to "Why_is_a_Q_encoded_string_=28random_text_=3C=3E=29=3F" and could decode this in Splunk with 2 rex commands:

| makeresults | eval input="Why_is_a_Q_encoded_string_=28random_text_=3C=3E=29=3F" | rex field=input mode=sed "s/=(..)/%\1/g" | rex field=input mode=sed "s/_/ /g" | eval output=urldecode(input)

Not sure if this covers the whole spec, test it out with your real data.

Hth,
-Kai.

edit: actually, this looks much nicer:

| makeresults | eval input="Why_is_a_Q_encoded_string_=28random_text_=3C=3E=29=3F" | eval output=urldecode(replace(replace(input,"=","%"),"_","%20"))
Reply
Solved! Jump to solution

olivier_ma
Explorer
‎08-30-2017 01:11 AM

Perfect, exactly what I'm looking for :). Indeed use urldecode is much easier.

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...