base64_decode_toarray
This page explains how to use the base64_decode_toarray function in APL.
Use the base64_decode_toarray function to decode a Base64-encoded string into an array of bytes. This is especially useful when you need to extract raw binary data from encoded inputs, such as network payloads, authentication tokens, or structured log fields. You can then transform or analyze the resulting byte array using additional APL functions like array_slice, array_length, or array_index.
This function is useful in scenarios where logs or telemetry data include fields that store binary data encoded as Base64, which is common for compact transmission or obfuscation. By decoding these values into byte arrays, you gain visibility into the underlying structure of the data.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
Splunk SPL users
Splunk SPL users
In Splunk SPL, decoding Base64 requires using eval with the base64decode function, which returns a string. If you need a byte array representation, you must manually transform it. In APL, base64_decode_toarray directly produces an array of bytes, allowing you to work with binary data more precisely.
ANSI SQL users
ANSI SQL users
Standard ANSI SQL doesn’t include a native function to decode Base64 into byte arrays. You typically need to rely on a UDF or cast the result into VARBINARY if the engine supports it. APL provides a built-in function that directly yields an array of integers representing bytes.
Usage
Syntax
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| base64_input | string | ✔️ | A Base64-encoded string. The input string must be valid Base64. |
Returns
An array of integers representing the decoded byte values. If the input string is not valid Base64, the function returns an empty array.
Use case examples
You want to decode a Base64-encoded field in logs to inspect raw payloads for debugging or transformation.
Query
Output
| raw |
|---|
| [104, 101, 108, 108, 111, 32, 119, 111, 114, 108, 100] |
This query decodes the Base64 string 'aGVsbG8gd29ybGQ=', which represents the ASCII string "hello world", into an array of byte values.
You want to decode a Base64-encoded field in logs to inspect raw payloads for debugging or transformation.
Query
Output
| raw |
|---|
| [104, 101, 108, 108, 111, 32, 119, 111, 114, 108, 100] |
This query decodes the Base64 string 'aGVsbG8gd29ybGQ=', which represents the ASCII string "hello world", into an array of byte values.
You receive Base64-encoded trace IDs from an external system and want to decode them for low-level correlation.
Query
Output
| trace_id | trace_bytes |
|---|---|
| dHJhY2UtaWQtZGVtbw== | [116, 114, 97, 99, 101, 45, 105, 100, 45, 100, 101, 109, 111] |
This query decodes the trace ID from Base64 into its byte-level representation for internal processing or fingerprinting.
List of related functions
- array_length: Returns the number of elements in an array. Use after decoding to validate payload length.
- array_slice: Extracts a subrange from an array. Use to focus on specific byte segments after decoding.
- base64_encode_fromarray: Converts a sequence of bytes into a Base64-encoded string.