Splunk Search

Having a base64 decoding problem in Splunk 9- How to decode Idap-events?

rrovers
Contributor

After installing splunk 9 we have a problem with decoding ldap-events. We tried several apps but none of them gave us correct results.

We wanted to use the app "Encode / Decode Data for Splunk" but we can't find any instructions of how to use it.

Does anyone have experience with base64 decoding in splunk 9?

Labels (1)
0 Karma

vnarahari
Loves-to-Learn Lots

We had the same problem initially and found more details about code command usage under \TA-code\default\searchbnf.conf

We are able to decode the URL or process using | code method=base64 field=encodedcommand action=decode destfield=decoded_command key=abc123 but when we stats the decoded_command it gives the result as "p".

I tried the base64 conversion matrix macro as well, it does the same p thing. 

vnarahari_0-1704821064925.png

Can anyone help?

0 Karma

rrovers
Contributor

Later we have used an app named decrypt2 and it worked for us with this syntax:

 

| decrypt field=randomfield atob emit('randomfielddecrypt') 
0 Karma

rrovers
Contributor

Answering my own question:

Syntax is like this:

| code field=randombase64field method=base64 action=decode destfield=test 

unfortunately it doesn't decode diacritics correctly.

Does someone have a solution for that? Apps that worked fine in splunk 8 don't seem to work correct in splunk 9.

Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...