Use the base64_decode_toarray function to decode a Base64-encoded string into an array of bytes. This is especially useful when you need to extract raw binary data from encoded inputs, such as network payloads, authentication tokens, or structured log fields. You can then transform or analyze the resulting byte array using additional APL functions like array_slice, array_length, or array_index.

This function is useful in scenarios where logs or telemetry data include fields that store binary data encoded as Base64, which is common for compact transmission or obfuscation. By decoding these values into byte arrays, you gain visibility into the underlying structure of the data.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

In Splunk SPL, decoding Base64 requires using eval with the base64decode function, which returns a string. If you need a byte array representation, you must manually transform it. In APL, base64_decode_toarray directly produces an array of bytes, allowing you to work with binary data more precisely.

```sql Splunk example | eval decoded=base64decode(encodedField) ```` 
['my-dataset']
| extend decoded = base64_decode_toarray(encodedField)

Standard ANSI SQL doesn’t include a native function to decode Base64 into byte arrays. You typically need to rely on a UDF or cast the result into VARBINARY if the engine supports it. APL provides a built-in function that directly yields an array of integers representing bytes.

```sql SQL example SELECT CAST(FROM_BASE64(encodedField) AS BINARY) FROM my_table; ``` 
['my-dataset']
| extend decoded = base64_decode_toarray(encodedField)

Usage

Syntax

base64_decode_toarray(base64_input)

Parameters

Name Type Required Description
base64_input string A Base64-encoded string.
The input string must be standard Base64 with padding, as defined by RFC 4648. For more information, see the [RFC Series documentation](https://www.rfc-editor.org/rfc/rfc4648).

Returns

An array of integers representing the decoded byte values. If the input string is not valid Base64, the function returns an empty array.

Use case examples

You want to decode a Base64-encoded field in logs to inspect raw payloads for debugging or transformation.

Query

['sample-http-logs']
| extend raw = base64_decode_toarray('aGVsbG8gd29ybGQ=')

Run in Playground

Output

raw
[104, 101, 108, 108, 111, 32, 119, 111, 114, 108, 100]

This query decodes the Base64 string 'aGVsbG8gd29ybGQ=', which represents the ASCII string "hello world", into an array of byte values.

You receive Base64-encoded trace IDs from an external system and want to decode them for low-level correlation.

Query

['otel-demo-traces']
| extend trace_bytes = base64_decode_toarray(trace_id)
| project trace_id, trace_bytes

Run in Playground

Output

trace_id trace_bytes
dHJhY2UtaWQtZGVtbw== [116, 114, 97, 99, 101, 45, 105, 100, 45, 100, 101, 109, 111]

This query decodes the trace ID from Base64 into its byte-level representation for internal processing or fingerprinting.
  • array_length: Returns the number of elements in an array. Use after decoding to validate payload length.
  • array_slice: Extracts a subrange from an array. Use to focus on specific byte segments after decoding.
  • base64_encode_fromarray: Converts a sequence of bytes into a Base64-encoded string.

Good morning

I'm here to help you with the docs.

I
AIBased on your context