topic Re: ip address in non usual format in Splunk Search

ip address in non usual format

changux — Fri, 05 Jun 2015 15:16:03 GMT

Hi all. I have a mcafee logging in a SQL database with a field:

sourceip=739840322

How i can traslate this Ip to a standard IP format?

What format is that?

Regards.

Re: ip address in non usual format

acharlieh — Fri, 05 Jun 2015 15:27:39 GMT

If I had to guess, that looks like the decimal representation of an IPv4 address.

If we convert to that number to Hex, you wind up with 2C191142

which if we take as a byte at a time translates to: 44.25.17.66

A first pass at eval statements to make the conversion is:

base search
| eval remainder=sourceip
| eval firstoctet=floor(remainder/pow(256,3)) | eval remainder=remainder-(firstoctet*pow(256,3))
| eval secondoctet=floor(remainder/pow(256,2)) | eval remainder=remainder-secondoctet*pow(256,2)
| eval thirdoctet=floor(remainder/pow(256,1)) | eval remainder=remainder-thirdoctet*pow(256,1)
| eval sourceip_string=firstoctet+"."+secondoctet+"."+thirdoctet+"."+remainder
| fields sourceip*

But of course that assumes you only have IPv4 addresses stored there and it feels very clunky, but it works.

Re: ip address in non usual format

acharlieh — Fri, 05 Jun 2015 15:36:06 GMT

Translating this process to eval statements will take a bit of finagling and I'll have to come back to it later, as the hex string could be variable length, and you'd want to split into up to 2 character segments starting from the back and working forward. strike that, you'd want to do divisions of powers of 256

Re: ip address in non usual format

changux — Fri, 05 Jun 2015 15:39:35 GMT

Any suggestion of eval to do the change?

Re: ip address in non usual format

acharlieh — Fri, 05 Jun 2015 15:48:05 GMT

I made a first pass at a chain of several. That could likely be cleaned up to get down to one or two, but it'd take some finagling. The fields command probably you'd want to adjust to get rid of the in progress steps.

Re: ip address in non usual format

changux — Fri, 05 Jun 2015 15:50:18 GMT

My field is named sourceip4, how i can use with your suggestion?

Re: ip address in non usual format

acharlieh — Fri, 05 Jun 2015 15:52:22 GMT

Change the first line: | eval remainder=sourceip to | eval remainder=sourceip4 You may want to also look at playing with the last eval (where all the octets are assembled) and the fields to clean up the steps in the middle.

Re: ip address in non usual format

jrizzo_splunk — Tue, 09 Jun 2015 20:53:35 GMT

I wrote a command to do this. I uploaded it to github: https://github.com/rzzldzzl/splunk_dec2ip_command

Example:

$ splunk search '| stats count | fields - count | eval dec_ip="739840322" | dec_ip ip4'
 dec_ip       ip4
--------- -----------
739840322 44.25.17.66

Joe