topic Re: convert string to binary in Splunk Dev

convert string to binary

khanlarloo — Sat, 10 Jun 2017 12:11:33 GMT

hi
how can i convert string to the form of ip add.when i search the ip add it shows ip add in the form of string instead of ip add format.

is there any solution to convert string to binary format of ip add?

Re: convert string to binary

maciep — Sat, 10 Jun 2017 12:28:25 GMT

do you have any example data you can share? And/Or could you elaborate a bit? What is the difference between the string representation and the IP address form?

Re: convert string to binary

khanlarloo — Tue, 29 Sep 2020 14:25:17 GMT

you can find a sample log file below

"May 13 17:55:05 192.168.10.16 May 13 17:55:05 wsm-2 attack: risk=Low, event=""Backend error"", proxy=""both://gsh:443"", proxy_id=31, log_id=3545324, source=""81.91.144.51"", violation=""General request violation"", path=""/content/assets/css/byekan.woff"", method=""GET"", node=""wsm-2.rb.snig.armandata.net"", action=""Allow"", time=""May 13 17:54:58 2017""","2017-05-13T17:55:05.000+0430",Allow,"81.91.144.51",17,13,55,may,5,saturday,2017,local,"Backend error",,,"192.168.10.16",main,1,3545324,GET,"wsm-2.rb.snig.armandata.net",,"/content/assets/css/byekan.woff",,attack,,"both://gsh:443",31,"::_...::-:=,="""",=""://..:"",=,=,=""...""",Low,"udp:514",syslog,SIEM,,,,"May 13 17:54:58 2017",15,0,,"General request violation"

as you see the source field contains IP address that i want extract it.
and use it in Choropleth Map
how can i do that.

Re: convert string to binary

yuanliu — Tue, 29 Sep 2020 14:25:20 GMT

I think it means to convert a quad format string representation of the numeric IP address into a binary representation of the numeric value. For example, the numeric value of 255.0.0.1 is 255*2^24 + 0*2^16 + 0*2^8 + 1*2 = (dec)4278190081 = (bin)11111111000000000000000000000001. Sometimes it is useful to use decimal string or hexadecimal string of the address value, but I really don't see what benefit could it be to use a binary string representation.

Re: convert string to binary

yuanliu — Sat, 10 Jun 2017 17:30:14 GMT

I'll just convert the quad string representation to the numeric address. After this, you can decide which representation to use for this value.

| regex field=ip "(?<quad4>\d+)\.(?<quad3>\d+)\.(?<quad2>\d+)\.(?<quad1>\d+)"
| eval NumericIP=quad4*pow(2,24) + quad3*pow(2,16) + quad2*pow(2,8) + quad1

There is no printf conversion to convert this numeric value into a binary representation, so you'll have to write your own using / and %.

Re: convert string to binary

woodcock — Tue, 13 Jun 2017 12:49:54 GMT

Try this macro:

[IP32BitToDottedQuad(2)]
args = 32BitIP, newFieldName
definition = `comment("This creates a new field (the last arg) by converting \
a 32-bit packed IP address (the first arg) to Dotted-Quad format")` \
| rex field=$32BitIP$ "(?i)(?<JuNkT3Mp_1>[0-9A-F]{2})(?<JuNkT3Mp_2>[0-9A-F]{2})(?<JuNkT3Mp_3>[0-9A-F]{2})(?<JuNkT3Mp_4>[0-9A-F]{2})" \
| eval $newFieldName$ \
= tostring(tonumber(JuNkT3Mp_1,16)) + "." \
+ tostring(tonumber(JuNkT3Mp_2,16)) + "." \
+ tostring(tonumber(JuNkT3Mp_3,16)) + "." \
+ tostring(tonumber(JuNkT3Mp_4,16)) \
| eval $newFieldName$ = \
if((NOT match($newFieldName$, "Null")), $newFieldName$, "unconvertable") \
| fields - JuNkT3Mp_*