DECRYPT is a standard Splunk App and requires no special configuration.
DECRYPT is implemented as a single search command which exposes a number of data manipulation functions. It takes the required field to manipulate and then one or more functions as arguments.
decrypt [field=<name>] FUNCTIONS...
The following example will transform the sourcetype field into its hex representation:
... | decrypt field=sourcetype hex() emit('sourcetype')
Note: Fields must be output via the
emit function. The input field is not modified in place.
The field argument specifies the Splunk field to use as input.
... | decrypt field="hostname" ...
If no field argument is passed then _raw will be used by default.
If a field argument is passed and the field does not exist in the current record being processed, no error or warning will be given.
Each function passed as an argument will be executed in order, with the output of the previous function provided as input to the next.
... | decrypt field=hostname b64 xor('s\x65cr\x65t') hex emit('decrypted')
The above example can be explained as:
Encodes input to a Base64 string.
Decodes a Base64 encoded string.
Decodes a Base32 encoded string.
Implements Caesarian shift. The count argument specifies the amount to shift and must be an integer.
Implements rotate-on-left to each character within the string using an 8 bit boundary. The count argument specifies the amount to rotate and must be an integer.
Implements rotate-on-right to each character within the string using an 8 bit boundary. The count argument specifies the amount to rotate and must be an integer.
Implements basic XOR cipher against the field with the supplied key. The key can be provided as a string or integer.
Implements the RC4 cipher against the field with the supplied key. The key provided must be a string.
Transforms input into its hexadecimal representation.
Transforms hexadecimal input into its byte form.
Saves the current state to memory as name.
Recalls the previously saved state name from memory.
Transforms input into ASCII output. Non-printable characters will be replaced with a period.
Outputs the current state as UTF-8 to the field name.
Returns a substring of the input, starting at the index offset with the number of characters count.
Strings can be specified by encapsulating values in apostrophes (single quote). Strings accept Pythonic escape sequences, so hexadecimal and octal values can be specified with
'This is a valid string' 'This is also \x61 valid string.'
Quotation marks (double quotes) cannot be used.
"This is not a valid string"
Integers can be specified numerically or as hexadecimal representations by prefixing values with a
256 could be passed as is or as its hexadecimal representation
The value of Splunk fields can be used in function parameters by passing the field name as an argument. All referenced fields must be complete words unbroken by whitespace.
... | decrypt field=_raw xor(sourcetype) ...
The above example demonstrates passing the sourcetype field as the key to the xor function.
Fields saved using the save command can also be referenced.
... | decrypt field=_raw substr(0,1) save('1byte') substr(1, 4096) xor(1byte) ...
Functions which take no arguments do not need parenthesis in order for syntax checking to pass. The following examples will pass syntax checks and execute the same.
... | decrypt field=_raw b64 hex unhex ... | decrypt field=_raw b64() hex() unhex() ... | decrypt field=_raw b64() hex unhex
New lines can be used to break up command sequences for easier readability.
... | decrypt field=_raw b64 hex unhex
... | decrypt field=data xor('secret') emit('result')
... | decrypt field=data rotx(13) emit('result')
... | decrypt field=data b64 xor('secret') emit('result')
... | decrypt field=data b64 save('bin') substr(0, 1) emit('key') load('bin') substr(1, 9999) xor(key) emit('result')
... | decrypt field=data b64 save('orig') rc4('secret') emit('rc4-secret') load('orig') rc4('password') emit('rc4-password') load('orig') rc4('abc123') emit('rc4-abc123') load('orig') rc4('aabbccdd') emit('rc4-aabbccdd')
... | decrypt field=data b64 save('data') xor(0x01) emit('xor0x01') load('data') xor(0x02) emit('xor0x02') load('data') xor(0x03) emit('xor0x03') ...
Shannon Davis (Splunk)
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.