Oct 10 2021 03:24 AM
Hi,
I need your assistance please.
I have the following query:
F5_CL
| where TimeGenerated >= ago(3m) //change to required time
| extend RawData=split(RawData, '##') //split all raw data to specific values
|extend base64Value = tostring(RawData[24]) // base64 value
In the base64value there is base 64 value.
I don't know how to decode this value with extend!
I want that each parameter inside of this value will be separated.
Will appreciate your support please.
Thanks!
Oct 10 2021 03:39 PM
Oct 10 2021 11:52 PM
Oct 10 2021 11:55 PM
Oct 10 2021 11:59 PM
@m_zorich Adding picture, hope it more clear now.
Oct 11 2021 01:06 AM
Oct 11 2021 01:23 AM
Oct 11 2021 02:06 AM
Oct 11 2021 02:44 AM
Oct 12 2021 12:52 AM
Oct 12 2021 04:31 AM
@CliveWatson Yes, I've tried to use an online convertor and it translate well.
More than that, If I take the base64 as is, and move it to static variable as you showed, it works.
Otherwise it won't works.
Also, I've verified this is UTF-8.
Don't understand what I'm missing!
Oct 12 2021 04:40 AM
Maybe just a tostring within the Base64 - did we try that?
e.g. base64_decode_tostring(tostring(RawData[24]))
let RawDataList = "S3VzdG8=##S3VzdG8=##S3VzdV8=";
Usage
| extend RawData=split(RawDataList, '##')
| extend base64Value = base64_decode_tostring(tostring(RawData[2]))
Oct 12 2021 05:01 AM