The base64 custom search command is a command that do Base64 encoding and decoding.
... | base64 field=your_field [action=(encode|decode)] [mode=(replace|append)] [suppress_error=(True|False)]
field: field to encode or decode.
decodethe content. Optional.
replacethe existing field content (default) or create a new field named
suppress_error: do not raise errors if set to
True. Optional, default to
Note on decoding:
While the input string can be anything for the encoding operation, it should respect the alphabet
[a-zA-Z0-9/=] and its length should be a multiple of 4 while decoding. If the format is not respected, the command will throw errors (except if you set the flag
In the following example, we assume we are working on proxy/web logs and those will contains a field
uri. This field will contains URI links and some of them will contains
plop which refer to Base64 encoded data.
So, to get it working:
Here is one way of doing it in Splunk:
... your search to get field 'uri' for example...
| fields uri
| rex field=uri "plop=(?<content_to_decode>[a-zA-Z0-9/=]*)”
| eval clength=len(content_to_decode)%4
| search clength=0
| base64 field=“content_to_decode" action=“decode" mode=“append"
- non printable characters are presented as hexadecimal when decoding (ex: base64=
- Initial release
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.