Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue with excluding a decoded base64 command

vnarahari
Loves-to-Learn Lots
‎04-02-2024 01:06 PM

I have been working on decoding a base64 encoded command using the decrypt2 app. I have successfully decoded the string but facing difficulty excluding or searching and also running stats of decoded field which gives a "p" thing as a result.

Examples of | Search NOT:

vnarahari_0-1712088517693.png

 


Example of Stats resulted "p":

vnarahari_0-1712087927555.png

| rex field="process" ".*-(e|E)(n|N)[codemanCODEMAN]{0,12}\ (?<process_enc>[A-Za-z\d+/=]*)?"
| decrypt field=process_enc b64 emit('process_decoded')
| stats count by process_decoded

Could someone please provide guidance on the correct syntax to exclude or search the decoded field using search not or using a lookup and help clarify the "P" thing from stats command? DECRYPT2 


Tags (3)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-02-2024 03:35 PM

I don't know the decrypt command so this might be completely irrelevant, but, is the output (emitted) field a multi value field and if so do you need to use mvexpand to separate out the strings that you want to filter on?

Another possibility is perhaps the regex command

| regex process_decoded!="SELECT"
0 Karma
Reply

vnarahari
Loves-to-Learn Lots
‎04-03-2024 10:38 AM

@ITWhisperer Thanks for your response, It's not multivalued field and tried regex which isn't excluding the results as well.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...