Sign in

While doing my research, I came across sample SHA1 f08d857b0de6a7e3655480f1f5d652031be2616c. The binary sample file size is 100MB+, but it reduced to 7MB+ after archived, which appears to be padded with garbage data. Upon checking the sample in hex editor, the garbage data seems large. By comparing figure 1 and 2 at below, both screenshots have same garbage data but different offset.

Figure1: Part of the garbage data

Splunk is able to extract data from JSON format, however there are cases where the data is in list format and Splunk may not be able to associate the key and value accurately. As such, we would need to massage the data a little bit in order to be able to search for the data or get the pair of key and value more accurate.

Here is the sample of search query for massaging the JSON data:

index=<index name>
| spath
| rename TestData{}.Name as property_name, TestData{}.NewValue as property_new_value, TestData{}.OldValue as property_old_value
| eval x=mvzip(property_name, property_new_value, property_old_value)
| mvexpand x
| eval x=split(x, “,”)
| eval property_name=mvindex(x, 0)
| eval property_new_value=mvindex(x, 1)
| eval property_old_value=mvindex(x, 2)
| search property_name=”test_key_name”
| table _time, property_name, property_new_value, property_old_value

j00dan

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store