https://community.splunk.com/t5/Splunk-Search/How-to-decrypt-the-encrypted-field/m-p/657387#M227068 <P>This is how it works with b64 encoding</P><LI-CODE lang="markup">index=_internal | head 1 | decrypt field=splunk_server btoa() | eval foo=decrypted | decrypt field=foo b64() | table splunk_server foo decrypted</LI-CODE><P>You must remember that it use field decrypted as output and it didn't change the original field.</P><P>Here is what functions it support <A href="https://splunkbase.splunk.com/app/5565" target="_blank">https://splunkbase.splunk.com/app/5565</A>&nbsp;(Tab Details).&nbsp;</P> Wed, 13 Sep 2023 05:53:49 GMT isoutamo 2023-09-13T05:53:49Z https://community.splunk.com/t5/Splunk-Search/How-to-decrypt-the-encrypted-field/m-p/651842#M225321 <P>Hi All,</P> <P>We are basically forwarding the cloudflare firewall events to Splunk, we have enabled "payload logging" to view what payload was send by the user.</P> <P>Unfortunately the payload data which is forward to splunk is encrypted and we are not sure what tool to use to decrypt it.</P> <P>We do hold this private keys with us, but how to decrypt that in the splunk search is the question.</P> <P>We tried installing DECRYPT2 APP on Splunk but that is also of no help.</P> <P>&nbsp;</P> <P>Has anyone come across this type of issues and how have they fixed it. Request someone to suggest how to proceed with this.</P> Tue, 25 Jul 2023 17:21:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-decrypt-the-encrypted-field/m-p/651842#M225321 bijodev1 2023-07-25T17:21:12Z https://community.splunk.com/t5/Splunk-Search/How-to-decrypt-the-encrypted-field/m-p/651955#M225355 <P>Hi</P><P>how that field has encrypted? Base64 or some other method?</P><P>I have used decrypt2 earlier without any issues with this kind of data. If I recall right it creates another field where it decrypt this field? It leave original field encrypted.</P><P>r. Ismo</P> Tue, 25 Jul 2023 17:18:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-decrypt-the-encrypted-field/m-p/651955#M225355 isoutamo 2023-07-25T17:18:32Z https://community.splunk.com/t5/Splunk-Search/How-to-decrypt-the-encrypted-field/m-p/657139#M226977 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>&nbsp; sorry for the late response.</P><P>I am not sure on that part, I guess they use this -&nbsp; "hybrid public key Encryption". I did install Decrypt2 on Splunk but not sure how that works.&nbsp;</P><P>&nbsp;</P> Mon, 11 Sep 2023 05:32:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-decrypt-the-encrypted-field/m-p/657139#M226977 bijodev1 2023-09-11T05:32:22Z https://community.splunk.com/t5/Splunk-Search/How-to-decrypt-the-encrypted-field/m-p/657387#M227068 <P>This is how it works with b64 encoding</P><LI-CODE lang="markup">index=_internal | head 1 | decrypt field=splunk_server btoa() | eval foo=decrypted | decrypt field=foo b64() | table splunk_server foo decrypted</LI-CODE><P>You must remember that it use field decrypted as output and it didn't change the original field.</P><P>Here is what functions it support <A href="https://splunkbase.splunk.com/app/5565" target="_blank">https://splunkbase.splunk.com/app/5565</A>&nbsp;(Tab Details).&nbsp;</P> Wed, 13 Sep 2023 05:53:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-decrypt-the-encrypted-field/m-p/657387#M227068 isoutamo 2023-09-13T05:53:49Z