we're doing minor obfuscation of a field within our incoming UDP plaintext events - is there any way to decode prior to indexing so the output is searchable? Is the base64 function available for an eval for a calculated field?
You can't do the decoding at index-time - you'd either have to make sure the value is decoded by the time it reaches Splunk by having something else receive the data and decode it before passing it on, or perform the decoding at search-time. Base64 decoding works just fine at search-time on any field regardless of how it was created.
Just throw a search statement after the decode command.
... | base64 action=decode yourfield | search yourfield=...
decoding is definitely working in terms of reporting - the issue is, I need to search against the decoded data and I cannot.