topic Does anyone have an idea how to make a bitwise AND operation for a high number of events in Splunk? in Splunk Search

Does anyone have an idea how to make a bitwise AND operation for a high number of events in Splunk?

Berma — Fri, 16 Jun 2023 13:59:05 GMT

Hey all

The PAN-OS traffic log include a log field ‚flags‘

‚Flags‘ is a 32-Bit field that provide details on session. This field can be decoded with a bitwise AND operation.

E.g. you have to bitwise AND operate the value 0x01000000 to the logged value to know the a SSL session was decrypted.

I guess that I have to convert the logged hexadecimal value to decimal. That is no problem.

But the bitwise operation require to convert the value to a binary value and here I‘m stuck.

I don‘t manage to convert the value in binary for each event of the traffic logs.

That‘s why I not get to the point where to bitwiseand the logged value with a value provided by a list from Palo Alto Networks.

Does anyone have an idea how to make a bitwise AND operation for a high number of events in Splunk?

ITWhisperer — Thu, 15 Jun 2023 08:51:00 GMT

Berma — Thu, 15 Jun 2023 15:34:27 GMT

This solution is working like a charm and an effective way to convert hex to bin.

unfortunately I am now with the second part of the task, the bitwise AND

i tried

eval = bwa ( bin1 * bin2)

e.g.
bin1 = 0000000000000000000000011011

bin2 = 0001000000000000000000000000

the expected result should be

0000000000000000000000000000

but the result from the eval function is

1101100000000000000000000000

maybe the detour via binary numbers is wrong approach or the operation not correct.

do you have an idea?

ITWhisperer — Thu, 15 Jun 2023 16:43:44 GMT

If you just want the value of the 4th bit, use substr()