topic How to convert IP to decimal in Splunk Search

How to convert IP to decimal

KwonTaeHoon — Wed, 17 Apr 2024 13:30:34 GMT

Hello

My lookup table has fields of src_ip, dst_ip, and description.

src_ip=192.168.1.1

dst_ip=192.168.1.100

description="internal IP"

I want to convert the src_ip field and dst_ip to decimal.

If you know how to convert it, please add a reply.

Thank you

Re: How to convert IP to decimal

jason_hotchkiss — Wed, 17 Apr 2024 14:46:36 GMT

Take a look at this solution:

https://community.splunk.com/t5/Splunk-Search/Convert-Hexadecimal-IP-v4-addresses-to-decimal/td-p/40938

You could use: (?<d1>\d{1,3})\.(?<d2>\d{1,3})\.(?<d3>\d{1,3})\.(?<d4>\d{1,3}) for your particular example as the rex conversion.

| makeresults count=1 | eval src_ip = "192.168.1.1" | streamstats values(src_ip) as src_ip by _time | rex field=src_ip "(?<d1>\d{1,3})\.(?<d2>\d{1,3})\.(?<d3>\d{1,3})\.(?<d4>\d{1,3})" | eval dec_src_ip = 'd1'*16777216+'d2'*65536+'d3'*256+'d4'+0

There is also an app that provides you a command to do the conversion:
https://splunkbase.splunk.com/app/512

Re: How to convert IP to decimal

yuanliu — Thu, 18 Apr 2024 16:40:56 GMT

Let me give this a semantic makeover using bit_shift_left😃 (9.2 and above - thanks @jason_hotchkiss for noticing) because semantic code is easier to understand and maintain.

| eval offset = mvappend("24", "16", "8") | eval segment_rev = mvrange(0, 3) | foreach *_ip [eval <<FIELD>> = split(<<FIELD>>, "."), <<FIELD>>_dec = sum(mvmap(segment_rev, bit_shift_left(tonumber(mvindex(<<FIELD>>, segment_rev)), tonumber(mvindex(offset, segment_rev)))), tonumber(mvindex(<<FIELD>>, 3))), <<FIELD>> = mvjoin(<<FIELD>>, ".") ``` this last part for display only ```] | fields - offset segment_rev

The sample data gives

dst_ip	dst_ip_dec	src_ip	src_ip_dec
192.168.1.100	3232235876	192.168.1.1	3232235777

Here is an emulation you can play with and compare with real data

| makeresults format=csv data="src_ip, dst_ip 192.168.1.1, 192.168.1.100" ``` data emulation above ```

Note: If it helps readability., you can skip foreach and spell the two operations separately.

| eval offset = mvappend("24", "16", "8") | eval segment_rev = mvrange(0, 3) | eval src_ip = split(src_ip, ".") | eval dst_ip = split(dst_ip, ".") | eval src_ip_dec = sum(mvmap(segment_rev, bit_shift_left(tonumber(mvindex(src_ip, segment_rev)), tonumber(mvindex(offset, segment_rev)))), tonumber(mvindex(src_ip, 3))) | eval dst_ip_dec = sum(mvmap(segment_rev, bit_shift_left(tonumber(mvindex(dst_ip, segment_rev)), tonumber(mvindex(offset, segment_rev)))), tonumber(mvindex(dst_ip, 3))) | eval src_ip = mvjoin(src_ip, "."), dst_ip = mvjoin(dst_ip, ".") ``` for display only ``` | fields - offset segment_rev

Re: How to convert IP to decimal

jason_hotchkiss — Thu, 18 Apr 2024 13:40:15 GMT

| eval offset = mvappend("24", "16", "8") | eval segment_rev = mvrange(0, 3) | eval offset = mvappend("24", "16", "8") | eval segment_rev = mvrange(0, 3)

For the above, should the second set have been given a different value for the field?

Additionally, when I run the example, I received:

04-18-2024 13:36:06.590 ERROR EvalCommand [102993 searchOrchestrator] - The 'bit_shift_left' function is unsupported or undefined.

I believe the function requires 9.2.0+

Re: How to convert IP to decimal

yuanliu — Thu, 18 Apr 2024 16:47:49 GMT

04-18-2024 13:36:06.590 ERROR EvalCommand [102993 searchOrchestrator] - The 'bit_shift_left' function is unsupported or undefined.

I believe the function requires 9.2.0+

Thanks for noticing! I always assumed that bitwise operations had been part of SPL from day one but no. The document has this footer: "This documentation applies to the following versions of Splunk® Enterprise: 9.2.0, 9.2.1." (Searching in previous versions results in the same pointers to 9.2.)

For the above, should the second set have been given a different value for the field?

Those are really bad copy-and-paste errors. Corrected.