Re: How do i find base64 strings within a field: e... - Splunk Community

Splunk Search

hello,

i'm trying to list URIs with base64 strings in them of at least 24 characters (i havent got to the length bit of the search):

search:

source=logdata1 uri=* | fields uri | regex uri="[a-z-A-Z0-9+/]{4}|[a-z-A-Z0-9+/]{3}=|[a-z-A-Z0-9+/]{2}==" | stats count by uri

This brings back pretty much EVERY URI, LOL.

Please can we identify a way to say the base64 length is no less than 24 characters?

Does this help you get closer?

| makeresults count=5 
| streamstats count 
| eval uri = CASE ( count==1,"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",count==2,"bbbbbbbbbb",count==3,"ccccccccccccccccccccccccccccccccccc",count==4,"dddddd",count==5,"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ) 
| fields uri
| regex uri="[a-z-A-Z0-9+/]{4}|[a-z-A-Z0-9+/]{3}=|[a-z-A-Z0-9+/]{2}==" 
| eval uri_len = len(uri) 
| where uri_len > 24 
| stats count by uri

I'm using some self contained SPL to generate the data so this will need to be tweaked for your example

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers, So you searched, “what is the name of the usb key inserted by bob smith?” Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register Is your ...