All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I decode base64-encoded data that contains nulls/spaces?

Log_wrangler
Builder
‎08-07-2018 02:56 PM

I have tried the base64 helper app as follows

index=A sourcetype=App_A |table encoded_data |base64 encoded_data

if I am decoding > WwBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA==

the result is > [ i n t p t r ] : : s i z e

there are spaces between each character and splunk will only see the first character, in this case [
I want it to be > [intptr]::size

is there a way to base64-decode, remove the spaces, and string it back together?

Please advise, thank you

Tags (2)
0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-07-2018 03:04 PM

Hi
You can use this to remove the spaces

| rex field=decoded_field mode=sed "s/\s//g"
------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

Log_wrangler
Builder
‎08-08-2018 07:19 AM

thank you for the reply, however I am not sure I explained correctly.

The problem is after |base64 encoded_data the results are broken.

The base64 helper app I believe is different than other base64 apps, and it does not work with eval either, so I cannot create a "field".

Which base64 app are you using??

thank you

0 Karma
Reply

Log_wrangler
Builder
‎08-08-2018 01:55 PM

So the main problem is that splunk stops decoding after the first character because there is an "square" null space between the characters, how do I keep it decoding the entire encoded_data??

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...