Having a base64 decoding problem in Splunk 9- How ...

rrovers · ‎03-13-2023

After installing splunk 9 we have a problem with decoding ldap-events. We tried several apps but none of them gave us correct results.

We wanted to use the app "Encode / Decode Data for Splunk" but we can't find any instructions of how to use it.

Does anyone have experience with base64 decoding in splunk 9?

vnarahari · ‎01-09-2024

We had the same problem initially and found more details about code command usage under \TA-code\default\searchbnf.conf

We are able to decode the URL or process using | code method=base64 field=encodedcommand action=decode destfield=decoded_command key=abc123 but when we stats the decoded_command it gives the result as "p".

I tried the base64 conversion matrix macro as well, it does the same p thing.

Can anyone help?

rrovers · ‎01-09-2024

Later we have used an app named decrypt2 and it worked for us with this syntax:

| decrypt field=randomfield atob emit('randomfielddecrypt')

rrovers · ‎03-17-2023

Answering my own question:

Syntax is like this:

| code field=randombase64field method=base64 action=decode destfield=test

unfortunately it doesn't decode diacritics correctly.

Does someone have a solution for that? Apps that worked fine in splunk 8 don't seem to work correct in splunk 9.

Having a base64 decoding problem in Splunk 9- How to decode Idap-events?

other

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?