![]() ![]() Next, we going to start decoding the base64 strings.Īgain, press Ctrl + Arrow-Down to go end of column, and type the formula as below: Your Excel will look something like this: Then paste/ Ctrl + V to fill all column with string “ ASCII“. Then, press Ctrl + Shift + Arrow-Up to select from bottom to top. After that, type in string “ ASCII” in one of the row and copy it ( Ctrl-C). Just press Ctrl + Arrow-Down to quickly go to end/bottom of data column. Let’s say you have 300 row of data in your Excel, then fill 300 of “ ASCII” strings besides it. We need to fill up column “ ASCII” with string “ ASCII” until end/bottom of your data. Then, create 2 new column in the Excel sheet column named “ ASCII” and “ Decoded Base64“: Paste macro code given above inside the editor:Īfter that, close the editor window. Create new macro – you can give any name you want. To use it, first, we need to open the Splunk result that we exported earlier.Īfter that, press Alt-F8 to open the macro editor. TextBase64Encode = Replace(Replace(.Text, vbCr, ""), vbLf, "")įunction TextBase64Decode(strBase64, strCharset) With CreateObject("MSXML2.DOMDocument").createElement("tmp") If you have a Splunk Cloud Platform deployment. To configure Splunk software to automatically detect the proper language and character set encoding for a particular input, set CHARSETAUTO for the input in the nf file. The macro code that we’ll be using as below:įunction TextBase64Encode(strText, strCharset) Splunk software can automatically detect languages and proper character sets using its character set encoding algorithm. MACRO) to automatically decode those base64 strings for us. So… We going to leverage Excel & macro (yes. How can I quickly decode all these base64 strings? We not gonna decode it one-by-one aren’t we? There are hundreds or probably thousand of it. If you decode the base64 from the example of raw event above: KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC9YLlguWC5YOjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC9YLlguWC4xODo0NDMpfGJhc2g= The result after we export it from Splunk (opened in Excel) looks like: Using the Splunk query above, it will show you a table formatted data which contains extracted base64 under field named “ string“. ![]()
0 Comments
Leave a Reply. |