Re: How do I create a custom command to decode bas...

Log_wrangler · ‎08-14-2018

I have tried all the base64 decoding apps in splunk base with no luck. The apps decode the first character and stop at the first null.

I want to add a custom command (.py) or script that will decode the base64 encode field value and remove the nulls. Preferrably, I would like a command I invoke at will with and eval, like

|eval decoded_val = myCommand encoded_val | table decoded_val

Please advise how I would create a custom command like this.

Thank you

jkat54 · ‎08-14-2018

I find the documentation to be incredibly helpful.

https://docs.splunk.com/Documentation/Splunk/7.1.2/Search/Customsearchcommandshape

https://docs.splunk.com/Documentation/Splunk/7.1.2/Search/Writeasearchcommand

http://dev.splunk.com/view/python-sdk/SP-CAAAEU2

Take those links and look at my decimaltoip search command in my jkats toolkit app https://splunkbase.splunk.com/app/3265/

Then modify for your use.

Log_wrangler · ‎08-15-2018

thank you, I think I found some of this info already.
will followup with specific questions
Thanks

How do I create a custom command to decode base64 and remove null bytes?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

Index This | What has goals but no motivation?

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Join the Conversation