Issue with excluding a decoded base64 command

vnarahari · ‎04-02-2024

I have been working on decoding a base64 encoded command using the decrypt2 app. I have successfully decoded the string but facing difficulty excluding or searching and also running stats of decoded field which gives a "p" thing as a result.

Examples of | Search NOT:

Example of Stats resulted "p":

| rex field="process" ".*-(e|E)(n|N)[codemanCODEMAN]{0,12}\ (?<process_enc>[A-Za-z\d+/=]*)?"
| decrypt field=process_enc b64 emit('process_decoded')
| stats count by process_decoded

Could someone please provide guidance on the correct syntax to exclude or search the decoded field using search not or using a lookup and help clarify the "P" thing from stats command? DECRYPT2

ITWhisperer · ‎04-02-2024

I don't know the decrypt command so this might be completely irrelevant, but, is the output (emitted) field a multi value field and if so do you need to use mvexpand to separate out the strings that you want to filter on?

Another possibility is perhaps the regex command

| regex process_decoded!="SELECT"

vnarahari · ‎04-03-2024

@ITWhisperer Thanks for your response, It's not multivalued field and tried regex which isn't excluding the results as well.

Issue with excluding a decoded base64 command

other

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation