Unpacking LogSlashed Logs in Splunk

Once your compressed log data is in your SIEM, you'll most likely want to unpack them to their original form to provide parity with your existing analytics and alerting processes. We're currently developing a Splunk Plugin that deploys a custom command to unpack slashed logs into their original form. In the following example, we send some basic network data from the network protocol analyzer TShark to two Splunk indexes: "network" and "network slash". The former is the endpoint for original log data, while the latter is the endpoint for log data processed by cwolves using the LogSlash algorithm:

Original Logs

The original set of logs contains 33,472 events:

Slashed Logs

When reduced with LogSlash, there are 408 events:


We can pipe these events through the cwolves Plugin to recreate the original 33,472 events:

You'll notice that some fields that were processed by lossy merging strategies aren't able to be perfectly reproduced. But, if you configure your merging strategies to be lossless (at a cost to compression), you can losslessly reproduce the original log set.

Last updated