All Apps and Add-ons

How do I decode base64-encoded data that contains nulls/spaces?


I have tried the base64 helper app as follows

index=A sourcetype=App_A |table encoded_data |base64 encoded_data

if I am decoding > WwBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA==

the result is > [ i n t p t r ] : : s i z e

there are spaces between each character and splunk will only see the first character, in this case [
I want it to be > [intptr]::size

is there a way to base64-decode, remove the spaces, and string it back together?

Please advise, thank you

Tags (2)
0 Karma


You can use this to remove the spaces

| rex field=decoded_field mode=sed "s/\s//g"
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma


thank you for the reply, however I am not sure I explained correctly.

The problem is after |base64 encoded_data the results are broken.

The base64 helper app I believe is different than other base64 apps, and it does not work with eval either, so I cannot create a "field".

Which base64 app are you using??

thank you

0 Karma


So the main problem is that splunk stops decoding after the first character because there is an "square" null space between the characters, how do I keep it decoding the entire encoded_data??

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...