All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Base64: Parsing an XML file using kv_mode=xml, how to get the Base64 script "recurse" and decode more than the first line?

lchumley
New Member
‎11-03-2015 11:19 AM

I'm parsing an XML file using the kv_mode=xml in my props.conf and that's all good and well.

However, these XMLs that are coming back as a payload from another app are formatted like this:

<host>PC11</host>
<Registry>
<Value>AbBccDlllK[...]</Value>
<Value>AbBccDQQqq[...]</Value>

In the Search app, the tables format correctly and I get multiple values per host. These values are on separate lines, but not being treated as separate events. I'm fine with that part.

The Values are in Base64. I downloaded the base64 app and ran a decode string against the source type and it worked, but only for the first value of every host. Any ideas on how to make the base64 script "recurse" and decode more than the first line?

0 Karma
Reply

jhedgpeth
Path Finder
‎05-24-2016 07:40 AM

something to try. split mv field, decode, recombine.

... | mvexpand yourbase64 | base64 field=yourbase64 action=“decode"  | mvcombine yourbase64
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...