How do I decode base64-encoded data that contains ...

Log_wrangler · ‎08-07-2018

I have tried the base64 helper app as follows

index=A sourcetype=App_A |table encoded_data |base64 encoded_data

if I am decoding > WwBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA==

the result is > [ i n t p t r ] : : s i z e

there are spaces between each character and splunk will only see the first character, in this case [
I want it to be > [intptr]::size

is there a way to base64-decode, remove the spaces, and string it back together?

Please advise, thank you

diogofgm · ‎08-07-2018

Hi
You can use this to remove the spaces

| rex field=decoded_field mode=sed "s/\s//g"

------------
Hope I was able to help you. If so, some karma would be appreciated.

Log_wrangler · ‎08-08-2018

thank you for the reply, however I am not sure I explained correctly.

The problem is after |base64 encoded_data the results are broken.

The base64 helper app I believe is different than other base64 apps, and it does not work with eval either, so I cannot create a "field".

Which base64 app are you using??

thank you

Log_wrangler · ‎08-08-2018

So the main problem is that splunk stops decoding after the first character because there is an "square" null space between the characters, how do I keep it decoding the entire encoded_data??

How do I decode base64-encoded data that contains nulls/spaces?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

How do I decode base64-encoded data that contains nulls/spaces?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25