Search the string after base64decoding


1 comment

  • Avatar
    Kevin Keech

    When you say you want to search, do you just want to return messages where the parsed field includes a specific string? If so then you can use a "matches" operation within a "where" statement like below. 

    | parse "payload=*\"}" as test
    | base64Decode(test) as _V
    | where _V matches "*<string>*"

    If you want to further parse a value from the decoded field you can perform additional parsing on the field text using the following format. 

    | parse field=_V "anchor text * anchor text" as newfield 

    Comment actions Permalink

Please sign in to leave a comment.