topic Convert IPv4 Addresses to decimal in Splunk Enterprise Security

Convert IPv4 Addresses to decimal

Travlin1 — Thu, 19 Dec 2024 01:56:07 GMT

Hello everyone!

I most likely could solve this problem if given enough time, but always seem to never have enough 🙃. Within Enterprise security we pull asset information via LDAPsearch into our ES instance hosted in Splunk Cloud. Within the cn=* field, multiplies for both IP and hostnames. We aim for host fields to be either hostname or nt_host. some of these values though are written as such:

cn=192_168_1_1

I want to evaluate the existing field and output them as normal decimals when seen. I am assuming I would need an if statement keeping intact hostname values while else performing the conversion. I am not at computer right now but will update with some data and my progress thus far.

Thanks!

Re: Convert IPv4 Addresses to decimal

sainag_splunk — Thu, 19 Dec 2024 03:32:03 GMT

@Travlin1 something like this?

| makeresults | eval cn=mvappend( "192_168_1_1", "10_0_0_5", "webserver-prod01", "172_16_32_1", "database.example.com", "192_168_0_badformat", "dev_server_01" ) | mvexpand cn | eval converted_host=case( match(cn, "^\d+_\d+_\d+_\d+$"), replace(cn, "_", "."), true(), cn ) | eval host_type=case( match(cn, "^\d+_\d+_\d+_\d+$"), "ip_address", true(), "hostname" ) | table cn, converted_host, host_type

If this helps, Please Upvote.

Re: Convert IPv4 Addresses to decimal

bowesmana — Thu, 19 Dec 2024 03:38:01 GMT

Something like this?

| makeresults format=csv data="hostname cn=192_168_1_1 cn=myhost otherhostnane" | rex field=hostname "cn=(?<ipAddr>\d{1,3}[._]\d{1,3}[._]\d{1,3}[._]\d{1,3})" | eval hostname=coalesce(replace(ipAddr, "_", "."), hostname)

Re: Convert IPv4 Addresses to decimal

Travlin1 — Thu, 19 Dec 2024 19:26:56 GMT

thanks @bowesmana @sainag_splunk ,

I tried both and results were near same! Sinece the CN field is already extracted I modified the search like this....

base search .... | rex field=cn "(?<ipAddr>\d{1,3}[._]\d{1,3}[._]\d{1,3}[._]\d{1,3})" | eval cn = coalesce(replace(ipAddr, "_", "."), cn)

In case anyone runs into this thread later.

Much appreciated!