Forum Discussion
Unable to decode base64 value - Kusto
Hi, I need your assistance please. I have the following query: F5_CL | where TimeGenerated >= ago(3m) //change to required time | extend RawData=split(RawData, '##') //split all raw data to...
There are a few operators to decode, for strings
F5_CL
| where TimeGenerated >= ago(3m) //change to required time
| extend RawData=split(RawData, '##') //split all raw data to specific values
| extend base64Value = base64_decode_tostring(RawData) // base64 value
F5_CL
| where TimeGenerated >= ago(3m) //change to required time
| extend RawData=split(RawData, '##') //split all raw data to specific values
| extend base64Value = base64_decode_tostring(RawData) // base64 value
When I send the following Query:
F5_CL
| where TimeGenerated >= ago(7h) //change to required time
| extend RawData=split(RawData, '##') //split all raw data to specific values
| extend base64Value = base64_decode_tostring(RawData[24]) // base64 value
I get the following error:
"base64_decodestring(): argument #1 was not of an expected data type: string"
When I check RawData[24] using gettype() function, the result is String.
Why I get this error?
F5_CL
| where TimeGenerated >= ago(7h) //change to required time
| extend RawData=split(RawData, '##') //split all raw data to specific values
| extend base64Value = base64_decode_tostring(RawData[24]) // base64 value
I get the following error:
"base64_decodestring(): argument #1 was not of an expected data type: string"
When I check RawData[24] using gettype() function, the result is String.
Why I get this error?
- Could you post an example of your data to make it easier?
m_zorich Adding picture, hope it more clear now.
- You may need to check its valid UTF8, there are two examples in the github https://github.com/Azure/Azure-Sentinel/search?q=base64_decode_tostring , the second does some translate on invalid data.
