How do I decode base64-encoded data that contains ...

Log_wrangler · ‎08-07-2018

I have tried the base64 helper app as follows

index=A sourcetype=App_A |table encoded_data |base64 encoded_data

if I am decoding > WwBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA==

the result is > [ i n t p t r ] : : s i z e

there are spaces between each character and splunk will only see the first character, in this case [
I want it to be > [intptr]::size

is there a way to base64-decode, remove the spaces, and string it back together?

Please advise, thank you

diogofgm · ‎08-07-2018

Hi
You can use this to remove the spaces

| rex field=decoded_field mode=sed "s/\s//g"

------------
Hope I was able to help you. If so, some karma would be appreciated.

Log_wrangler · ‎08-08-2018

thank you for the reply, however I am not sure I explained correctly.

The problem is after |base64 encoded_data the results are broken.

The base64 helper app I believe is different than other base64 apps, and it does not work with eval either, so I cannot create a "field".

Which base64 app are you using??

thank you

Log_wrangler · ‎08-08-2018

So the main problem is that splunk stops decoding after the first character because there is an "square" null space between the characters, how do I keep it decoding the entire encoded_data??

How do I decode base64-encoded data that contains nulls/spaces?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life