topic Re: Bitfield lookup in Splunk Search

Bitfield lookup

sbsbb — Mon, 02 Dec 2013 10:15:51 GMT

I have a field in the logs, that is a Bit-field.
Is there a way, a function to translate those field in a human readable mvfield ?

Here is a bitfield translation example :
1 test1
2 test2
4 test3
8 test4

What I would like, is a way to translate "3" in "test1,test2)

I would enjoy a | bitlookup bittranslation.csv bitfield
But I guess I would have seen it already, if there were one 😉

Re: Bitfield lookup

Ayn — Mon, 02 Dec 2013 10:42:31 GMT

Use MATH

bitfield = 2^(x-1)

(because your first bitfield is not 0 but 1, hence the x-1 instead of x)
So,

x-1 = log2(bitfield)

And finally

x = log2(bitfield)+1

So when bitfield is 8, log2(bitfield) is 3, and so x = 3+1 = 4.

eval has the log(number,base) function that you can use for doing this.

... | eval numfield=log(bitfield,2)+1

Re: Bitfield lookup

sbsbb — Mon, 02 Dec 2013 13:38:57 GMT

I'm not sure to understand,
I've tried
|stats count | eval bitfield=3 | eval numfield=log(bitfield,2)+1

and I get numfield=2.58

I would need something like numfield=(1;2)..

Re: Bitfield lookup

Ayn — Mon, 02 Dec 2013 13:48:04 GMT

Well my understanding of the bitfield is that it would always be a 2 exponent? So it'd follow the pattern 1,2,4,8,16,32,...

In that case bitfield will never be 3.

Re: Bitfield lookup

sbsbb — Mon, 02 Dec 2013 17:13:00 GMT

If I have a bit field set to 3, that means that I have the bit 1 and 2 set. That why I need a function to check what bits are set

Re: Bitfield lookup

sciurus — Mon, 02 Dec 2013 21:27:17 GMT

Extract using math:

divide by 2^n to shift the value right by n bits
modulo by 2 to get the low bit

or...

Extracting with a CSV:

|stats count | eval bitfield = 5 | lookup bitlookup.csv bitfield OUTPUT bitnames | makemv delim="|" bitnames

$ cat bitlookup.csv

bitfield,bitnames
0,b0
1,b1
2,b2
3,b1|b2
4,b4
5,b1|b4
6,b2|b4
7,b1|b2|b4
8,b8
9,b1|b8
10,b2|b8
11,b1|b2|b8
12,b4|b8
13,b1|b4|b8
14,b2|b4|b8
15,b1|b2|b4|b8