The base64 custom search command is a command that do Base64 encoding and decoding.
... | base64 field=your_field [action=(encode|decode)] [mode=(replace|append)] [suppress_error=(True|False)]
field
: field to encode or decode.action
: encode
(default) or decode
the content. Optional.mode
: replace
the existing field content (default) or create a new field named base64
(mode append
). Optional.suppress_error
: do not raise errors if set to True
. Optional, default to False
.Note on decoding:
While the input string can be anything for the encoding operation, it should respect the alphabet [a-zA-Z0-9/=]
and its length should be a multiple of 4 while decoding. If the format is not respected, the command will throw errors (except if you set the flag suppress_error
).
In the following example, we assume we are working on proxy/web logs and those will contains a field uri
. This field will contains URI links and some of them will contains
an argument plop
which refer to Base64 encoded data.
So, to get it working:
rex
)Here is one way of doing it in Splunk:
... your search to get field 'uri' for example...
| fields uri
| rex field=uri "plop=(?<content_to_decode>[a-zA-Z0-9/=]*)”
| eval clength=len(content_to_decode)%4
| search clength=0
| base64 field=“content_to_decode" action=“decode" mode=“append"
v2.0
v1.1
- non printable characters are presented as hexadecimal when decoding (ex: base64=<%PDF\x00\x00
).
v1.0
- Initial release
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.