Today we will discuss a couple of very interesting eval functions. These are not daily used functions but can be very tricky if you don’t know these functions when you will get these kinds of use cases. It can eat your brain sometimes.
Urldecode function will decode all kinds of encoded URLs. Suppose you are indexing any encoded (not encrypted) URLs then this function can be very useful to decode those stuff in a second.
X: Encoded URL string or field name with encoded URLs
index="ip" | stats count by user url | eval decoded_url=urldecode('url')
Here we are decoding a URL stored in the “IP” index and is extracted in a field called “url”. After that using the “urldecode” function we are doing as discussed previously.
Now instead of the field name, you can mention the URL string directly.
| makeresults | eval decoded_url=urldecode("https%3A%2F%2Fsplunkonbigdata.com%2F2020%2F08%2F24%2Fusage-of-splunk-eval-function-mvmap%2F")
Here we did the same but instead of using the field name, above all, we have used the string directly with “urldecode” function.
X: it will convert md5 hash value of X
NOTE: md5 or message-digest is a widely used cryptographic hash function. This will convert 128-hash values of any given string.
index=_internal | stats count by sourcetype file | eval encrypted_file=md5('file')
Here we took the data from the ‘_internal‘ index and above all, I have listed out counts based on file and sourcetype. Now, this file name is very sensitive data. that’s why we will encrypt that for the end-users. That’s why I am using the “md5” function with eval to create a new field called “encrypted_file“. Therefore we can remove the original “file” field from the result set, however, for demonstration purposes, I kept it there.
Hope you all enjoyed this blog “Usage of Splunk Eval Function: URLDECODE and MD5“, see you all on to the next one.