All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Base64: Parsing an XML file using kv_mode=xml, how to get the Base64 script "recurse" and decode more than the first line?

lchumley
New Member
‎11-03-2015 11:19 AM

I'm parsing an XML file using the kv_mode=xml in my props.conf and that's all good and well.

However, these XMLs that are coming back as a payload from another app are formatted like this:

<host>PC11</host>
<Registry>
<Value>AbBccDlllK[...]</Value>
<Value>AbBccDQQqq[...]</Value>

In the Search app, the tables format correctly and I get multiple values per host. These values are on separate lines, but not being treated as separate events. I'm fine with that part.

The Values are in Base64. I downloaded the base64 app and ran a decode string against the source type and it worked, but only for the first value of every host. Any ideas on how to make the base64 script "recurse" and decode more than the first line?

0 Karma
Reply

jhedgpeth
Path Finder
‎05-24-2016 07:40 AM

something to try. split mv field, decode, recombine.

... | mvexpand yourbase64 | base64 field=yourbase64 action=“decode"  | mvcombine yourbase64
0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...