https://community.splunk.com/t5/Splunk-Search/Convert-an-hexadecimal-field-to-binary/m-p/186635#M187035 <P>The best approach might writing a custom lookup script, where you enter the HEX, and using a Python script returns the BIN as a string. If you look the example "external_lookup.py" inside $SPLUNK_HOME/etc/system/bin, you can see the main looping there, you could use the binascii Python library to easily convert.</P> <P>Cheers</P> Mon, 28 Sep 2020 19:14:05 GMT musskopf 2020-09-28T19:14:05Z https://community.splunk.com/t5/Splunk-Search/Convert-an-hexadecimal-field-to-binary/m-p/186631#M187031 <P>Hello, </P> <P>I'm trying to convert an hexadecimal field to base two (binary). <BR /> Let me show you an exemple :<BR /> field_hex=fffffffffffff83f <BR /> my need =&gt; 1111111111111111111111111111111111111111111111111111100000111111</P> <P>Actually, I try tonumber(field_hex, 2). </P> <P>I need to rex this output.</P> Mon, 16 Mar 2015 13:02:57 GMT https://community.splunk.com/t5/Splunk-Search/Convert-an-hexadecimal-field-to-binary/m-p/186631#M187031 lblum 2015-03-16T13:02:57Z https://community.splunk.com/t5/Splunk-Search/Convert-an-hexadecimal-field-to-binary/m-p/186632#M187032 <P>What I can do actually : <BR /> eval n=tonumber("3f", 16) | eval nn=tonumber("63", 10) | eval nnn=tonumber("00111111", 2) | table _raw, n, nn, nnn<BR /> =&gt; 63, 63, 63</P> <P>Hexa :<BR /> ff ff ff ff ff ff f8 3f<BR /> Decimal :<BR /> 255 255 255 255 255 255 248 63<BR /> Binary :<BR /> 11111111 11111111 11111111 11111111 11111111 11111111 11111000 00111111</P> <P>I need to regexp Binary result.</P> Mon, 16 Mar 2015 14:03:05 GMT https://community.splunk.com/t5/Splunk-Search/Convert-an-hexadecimal-field-to-binary/m-p/186632#M187032 lblum 2015-03-16T14:03:05Z https://community.splunk.com/t5/Splunk-Search/Convert-an-hexadecimal-field-to-binary/m-p/186633#M187033 <P>I do not fully understand what you are trying to do, but would still like to recommend <A href="https://regex101.com/">https://regex101.com/</A> to you. You can try regular expressions pretty nicely there.</P> Mon, 16 Mar 2015 14:13:58 GMT https://community.splunk.com/t5/Splunk-Search/Convert-an-hexadecimal-field-to-binary/m-p/186633#M187033 jeffland 2015-03-16T14:13:58Z https://community.splunk.com/t5/Splunk-Search/Convert-an-hexadecimal-field-to-binary/m-p/186634#M187034 <P>Hello, </P> <P>In my log, I ve got :<BR /> 09/02/15 00:00:00&gt;1 00 00 21 00 fffffffffffff83f.<BR /> To fully stat or report this line I need to convert hex to binary :<BR /> 09/02/15 00:00:00&gt;1 00 00 21 00 1111111111111111111111111111111111111111111111111111100000111111</P> Mon, 16 Mar 2015 14:45:40 GMT https://community.splunk.com/t5/Splunk-Search/Convert-an-hexadecimal-field-to-binary/m-p/186634#M187034 lblum 2015-03-16T14:45:40Z https://community.splunk.com/t5/Splunk-Search/Convert-an-hexadecimal-field-to-binary/m-p/186635#M187035 <P>The best approach might writing a custom lookup script, where you enter the HEX, and using a Python script returns the BIN as a string. If you look the example "external_lookup.py" inside $SPLUNK_HOME/etc/system/bin, you can see the main looping there, you could use the binascii Python library to easily convert.</P> <P>Cheers</P> Mon, 28 Sep 2020 19:14:05 GMT https://community.splunk.com/t5/Splunk-Search/Convert-an-hexadecimal-field-to-binary/m-p/186635#M187035 musskopf 2020-09-28T19:14:05Z https://community.splunk.com/t5/Splunk-Search/Convert-an-hexadecimal-field-to-binary/m-p/186636#M187036 <P>I have no idea how well this will work/scale or if it would be viable solution, but thought it worth at least throwing out there...</P> <P>'| localop | stats count <BR /> | eval blah = upper("fffffffffffff83f")<BR /> | eval blah = split(blah,"") <BR /> | mvexpand blah <BR /> | eval blah=replace(blah,"1","0001")<BR /> | eval blah=replace(blah,"2","0010")<BR /> | eval blah=replace(blah,"3","0011")<BR /> | eval blah=replace(blah,"4","0100")<BR /> | eval blah=replace(blah,"5","0101")<BR /> | eval blah=replace(blah,"6","0110")<BR /> | eval blah=replace(blah,"7","0111")<BR /> | eval blah=replace(blah,"8","1000")<BR /> | eval blah=replace(blah,"9","1001")<BR /> | eval blah=replace(blah,"A","1010")<BR /> | eval blah=replace(blah,"B","1011")<BR /> | eval blah=replace(blah,"C","1100")<BR /> | eval blah=replace(blah,"D","1101")<BR /> | eval blah=replace(blah,"E","1110")<BR /> | eval blah=replace(blah,"F","1111")<BR /> | mvcombine blah<BR /> | eval blah = ltrim(mvjoin(blah,""),"0")'</P> Tue, 17 Mar 2015 02:35:50 GMT https://community.splunk.com/t5/Splunk-Search/Convert-an-hexadecimal-field-to-binary/m-p/186636#M187036 maciep 2015-03-17T02:35:50Z https://community.splunk.com/t5/Splunk-Search/Convert-an-hexadecimal-field-to-binary/m-p/186637#M187037 <P>Actually, I guess you don't need to do all of the mv stuff...just a bunch of replaces might work.</P> <P>| localop | stats count <BR /> | eval blah = upper("fffffffffffff83f")<BR /> | eval blah=replace(blah,"1","0001")<BR /> | eval blah=replace(blah,"2","0010")<BR /> | eval blah=replace(blah,"3","0011")<BR /> | eval blah=replace(blah,"4","0100")<BR /> | eval blah=replace(blah,"5","0101")<BR /> | eval blah=replace(blah,"6","0110")<BR /> | eval blah=replace(blah,"7","0111")<BR /> | eval blah=replace(blah,"8","1000")<BR /> | eval blah=replace(blah,"9","1001")<BR /> | eval blah=replace(blah,"A","1010")<BR /> | eval blah=replace(blah,"B","1011")<BR /> | eval blah=replace(blah,"C","1100")<BR /> | eval blah=replace(blah,"D","1101")<BR /> | eval blah=replace(blah,"E","1110")<BR /> | eval blah=replace(blah,"F","1111")<BR /> | eval blah = ltrim(tostring(blah),"0")</P> Tue, 17 Mar 2015 02:48:35 GMT https://community.splunk.com/t5/Splunk-Search/Convert-an-hexadecimal-field-to-binary/m-p/186637#M187037 maciep 2015-03-17T02:48:35Z