I have tried the base64 helper app as follows
index=A sourcetype=App_A |table encoded_data |base64 encoded_data
if I am decoding > WwBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA==
the result is > [ i n t p t r ] : : s i z e
there are spaces between each character and splunk will only see the first character, in this case [
I want it to be > [intptr]::size
is there a way to base64-decode, remove the spaces, and string it back together?
Please advise, thank you
You can use this to remove the spaces
| rex field=decoded_field mode=sed "s/\s//g"
thank you for the reply, however I am not sure I explained correctly.
The problem is after |base64 encoded_data the results are broken.
The base64 helper app I believe is different than other base64 apps, and it does not work with eval either, so I cannot create a "field".
Which base64 app are you using??
So the main problem is that splunk stops decoding after the first character because there is an "square" null space between the characters, how do I keep it decoding the entire encoded_data??