Splunk Search

How to convert Decimal IP address to dotted quad IPv4 using SPL ?

Muwafi
Path Finder

Hello Guys,

I'm working on Data which is exported by telecom devices and IPs is exported in Decimal format as 170468155

can you help to convert this to normal dotted quad IP format xxx.xxx.xxx.xxx ?

Tags (1)
0 Karma

mgohman_splunk
Splunk Employee
Splunk Employee

I tested this app, it works. It's in splunkbase
IP Format Conversion Scripted Lookup

0 Karma

493669
Super Champion
0 Karma

Muwafi
Path Finder

I saw that answer before asking my question.. it's a different case

0 Karma

493669
Super Champion

Hi @Muwafi,
If your decimal value is present in IP field then try this:

| eval ip=if(IP<1,IP+2147483648,IP) | eval aaa=floor(ip/16777216) | eval     bbb=floor((ip-aaa*16777216)/65536) | eval ccc=floor((ip-(aaa*16777216+bbb*65536))/256)| eval ddd=ip-(aaa*16777216+bbb*65536+ccc*256) | eval ipv4=tostring(aaa)+"."+tostring(bbb)+"."+tostring(ccc)+"."+tostring(ddd)

Try this run anywhere search:

|makeresults|eval IP="170468155"| eval ip=if(IP<1,IP+2147483648,IP) | eval aaa=floor(ip/16777216) | eval     bbb=floor((ip-aaa*16777216)/65536) | eval ccc=floor((ip-(aaa*16777216+bbb*65536))/256)| eval ddd=ip-(aaa*16777216+bbb*65536+ccc*256) | eval ipv4=tostring(aaa)+"."+tostring(bbb)+"."+tostring(ccc)+"."+tostring(ddd)

so for decimal val of IP="170468155" it will output as "10.41.35.59"

0 Karma

Sukisen1981
Champion

Hi,

Have you tried this?
| eval ips=tostring(ip)| eval newip=substr(ips,1,3)+"."+substr(ips,4,6)+"."+substr(ips,7,9)
Assuming your 170468155 is a field value for a field named ip

0 Karma

Muwafi
Path Finder

That didn't work!

0 Karma

Sukisen1981
Champion

didnt work? care to explain? can you post your event log containing your ip field?
What you are asking is very simple. I suspect we are not understanding your question completely

0 Karma

Muwafi
Path Finder

it's giving a wrong result

if you used this website https://www.ipaddressguide.com/ip to convert between decimal IP and dotted quad IP the result of converting 170468155 is 10.41.35.59 while your eval result is 170.468155.155

The issue is not adding the "." , it needs calculations!

0 Karma

Sukisen1981
Champion

hang on a second...this is not strictly a splunk question, what you need is the logic to convert the decimal to ip (in general mathematical terms) and then implement the same in splunk.
Do you have the maths / formula behind the conversion?
We can then try to implement the same in splunk

0 Karma

Muwafi
Path Finder

I don't have the formula 😞

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...