EDIT: Solved. Used regex to target the printable portion first then converted to ascii For a couple dashboards, I'm using the following to display the plain text of hex data: [search] | eval asc...
See more...
EDIT: Solved. Used regex to target the printable portion first then converted to ascii For a couple dashboards, I'm using the following to display the plain text of hex data: [search] | eval ascii=(ltrim(replace(data,"([A-F0-9]{2})","%\1"),"0x")) | table ascii This works great for most everything. However, when using it on snort's ET POLICY ZIP file download events, it gives me nothing. Any ideas on why this is failing for specifically these alerts? Things I'm aware of: zip files are not plaintext. The filenames within them, however, are. The plan is to use regex to locate and extract filenames after. Things I've confirmed: The relevant field is labeled as "data" in working and non working examples. The data field contains ONLY hex data No lowercase, spaces, dashes, etc are used in the data field. The data fields do contain the strings I'm trying to extract.