https://community.splunk.com/t5/Splunk-Search/How-to-convert-IPv6-to-IPv4-dotted-decimal-format-with-eval/m-p/612159#M212828 <P>Had to do this today because VPN logs for eStreamer returns the IPv4 client_ip field in hex encoded IPv6 format (e.g. 104.33.245.146 is listed as 0000:0000:0000:0000:0000:ffff:6821:f592)</P><LI-CODE lang="markup">index=estreamer | eval A=if(like(client_ip,"0000:0000:0000:0000:0000:ffff:%"), substr(ipv6,31,9) , client_ip) | eval src_ip=if(len(A)==9, tonumber(substr(A,1,2),16). "." .tonumber(substr(A,3,2),16). "." .tonumber(substr(A,6,2),16). "." .tonumber(substr(A,8,2),16), A)</LI-CODE><P>Not sure what the use case OP originally was looking for, but hope this helps someone.</P><UL><LI>First eval compares set temp variable A to the hex-encoded IPv4 if matches the format, otherwise stores the IPv6</LI><LI>Second eval parses &amp; converts each IPv4 octet if A is 9 characters long, othewise returns the IPv6</LI></UL><P>Hope this helps someone else.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 06 Sep 2022 20:40:32 GMT gordo32 2022-09-06T20:40:32Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-IPv6-to-IPv4-dotted-decimal-format-with-eval/m-p/311541#M93361 <P>I've found many samples of how to convert an IPv4 to many different formats but I can't seem to locate one to convert an IPv6 address to IPv4 - Dotted decimal format.</P> <P>Can anyone help?</P> <P>Thanks,<BR />Robert</P> Tue, 06 Sep 2022 20:49:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-IPv6-to-IPv4-dotted-decimal-format-with-eval/m-p/311541#M93361 roayers 2022-09-06T20:49:49Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-IPv6-to-IPv4-dotted-decimal-format-with-eval/m-p/311542#M93362 <P>Splunk has built-in functions to convert hexadecimal to decimal: <A href="http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/ConversionFunctions#tonumber.28NUMSTR.2CBASE.29">http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/ConversionFunctions#tonumber.28NUMSTR.2CBASE.29</A><BR /> Using that, you can build whatever representation you like for IP addresses. </P> <P>I can't help you with how to write the <CODE>eval</CODE> until you let me know how you'd like the lossy conversion from IPv6 to IPv4 to look like - keep in mind, IPv6 addresses are 128bit while IPv4 ones are only 32bit.</P> Sat, 24 Feb 2018 23:23:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-IPv6-to-IPv4-dotted-decimal-format-with-eval/m-p/311542#M93362 martin_mueller 2018-02-24T23:23:23Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-IPv6-to-IPv4-dotted-decimal-format-with-eval/m-p/311543#M93363 <P>There is an RFC related to this. <A href="https://tools.ietf.org/html/rfc6144">https://tools.ietf.org/html/rfc6144</A> which speaks of </P> <P>IPv4-translatable addresses: IPv6 addresses to be assigned to IPv6<BR /> nodes for use with stateless translation. They have an explicit<BR /> mapping relationship to IPv4 addresses. A stateless translator<BR /> uses the corresponding IPv4 addresses to represent the IPv6<BR /> addresses. A stateful translator does not use this kind of<BR /> addresses, since IPv6 hosts are represented by the IPv4 address<BR /> pool in the translator via dynamic state.</P> Fri, 28 Feb 2020 03:29:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-IPv6-to-IPv4-dotted-decimal-format-with-eval/m-p/311543#M93363 benjimons 2020-02-28T03:29:02Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-IPv6-to-IPv4-dotted-decimal-format-with-eval/m-p/612159#M212828 <P>Had to do this today because VPN logs for eStreamer returns the IPv4 client_ip field in hex encoded IPv6 format (e.g. 104.33.245.146 is listed as 0000:0000:0000:0000:0000:ffff:6821:f592)</P><LI-CODE lang="markup">index=estreamer | eval A=if(like(client_ip,"0000:0000:0000:0000:0000:ffff:%"), substr(ipv6,31,9) , client_ip) | eval src_ip=if(len(A)==9, tonumber(substr(A,1,2),16). "." .tonumber(substr(A,3,2),16). "." .tonumber(substr(A,6,2),16). "." .tonumber(substr(A,8,2),16), A)</LI-CODE><P>Not sure what the use case OP originally was looking for, but hope this helps someone.</P><UL><LI>First eval compares set temp variable A to the hex-encoded IPv4 if matches the format, otherwise stores the IPv6</LI><LI>Second eval parses &amp; converts each IPv4 octet if A is 9 characters long, othewise returns the IPv6</LI></UL><P>Hope this helps someone else.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 06 Sep 2022 20:40:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-IPv6-to-IPv4-dotted-decimal-format-with-eval/m-p/612159#M212828 gordo32 2022-09-06T20:40:32Z