Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Having a base64 decoding problem in Splunk 9- How to decode Idap-events?

rrovers
Contributor
‎03-13-2023 05:19 AM

After installing splunk 9 we have a problem with decoding ldap-events. We tried several apps but none of them gave us correct results.

We wanted to use the app "Encode / Decode Data for Splunk" but we can't find any instructions of how to use it.

Does anyone have experience with base64 decoding in splunk 9?

0 Karma
Reply

vnarahari
Loves-to-Learn Lots
‎01-09-2024 09:27 AM

We had the same problem initially and found more details about code command usage under \TA-code\default\searchbnf.conf

We are able to decode the URL or process using | code method=base64 field=encodedcommand action=decode destfield=decoded_command key=abc123 but when we stats the decoded_command it gives the result as "p".

I tried the base64 conversion matrix macro as well, it does the same p thing. 

vnarahari_0-1704821064925.png

Can anyone help?

0 Karma
Reply

rrovers
Contributor
‎01-09-2024 10:42 PM

Later we have used an app named decrypt2 and it worked for us with this syntax:

 

| decrypt field=randomfield atob emit('randomfielddecrypt')
0 Karma
Reply

rrovers
Contributor
‎03-17-2023 01:51 AM

Answering my own question:

Syntax is like this:

| code field=randombase64field method=base64 action=decode destfield=test

unfortunately it doesn't decode diacritics correctly.

Does someone have a solution for that? Apps that worked fine in splunk 8 don't seem to work correct in splunk 9.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...