For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/logs/log_configuration/processors/decoder_processor.md. A documentation index is available at /llms.txt.

Decoder Processor

Overview

The Decoder processor is not available for your selected Datadog site (). Contact Datadog Support if you need this capability.

The Decoder processor translates binary-to-text encoded string fields (such as Base64 or Hex/Base16) into their original representation. This allows the data to be interpreted in its native context, whether as a UTF-8 string, ASCII command, or a numeric value (for example, an integer derived from a hex string). The Decoder processor is especially useful for analyzing encoded commands, logs from specific systems, or evasion techniques used by threat actors.

Note:

  • Truncated strings: The processor handles partially truncated Base64/Base16 strings gracefully by trimming or padding as needed.
  • Hex format: Hex input can be decoded into either a string (UTF-8) or an integer.
  • Failure handling: If decoding fails (because of invalid input), the processor skips the transformation, and the log remains unchanged

Setup

  1. Set the source attribute: Provide the attribute path that contains the encoded string, such as encoded.base64.
  2. Select the source encoding: Choose the binary-to-text encoding of the source: base64 or base16/hex.
  3. For Base16/Hex: Choose the output format: string (UTF-8) or integer.
  4. Set the target attribute: Enter the attribute path to store the decoded result.
Screenshot of the Decoder Processor configuration panel

Further reading

Additional helpful documentation, links, and articles:

Discover Datadog PipelinesDOCUMENTATION more more