Getting Data In

EVAL not working in props.conf but works fine in search for converting IP address from decimal to IPv4

Path Finder

Hello Experts,

I have a field called "src" which contains IP addresses in decimal format but I want to change the format to IPv4. I have an eval as mentioned below:

WORKS FINE FOR INLINE SEARCH

eval remainder=src | eval firstoctet=floor(remainder/pow(256,3)) | eval remainder=remainder-(firstoctet*pow(256,3)) | eval secondoctet=floor(remainder/pow(256,2)) | eval remainder=remainder-secondoctet*pow(256,2) | eval thirdoctet=floor(remainder/pow(256,1)) | eval remainder=remainder-thirdoctet*pow(256,1) | eval src_ip=firstoctet+"."+secondoctet+"."+thirdoctet+"."+remainder

DOESN'T WORK FINE WHEN USED IN PROPS.CONF

eval-remainder=src | eval firstoctet=floor(remainder/pow(256,3)) | eval remainder=remainder-(firstoctet*pow(256,3)) | eval secondoctet=floor(remainder/pow(256,2)) | eval remainder=remainder-secondoctet*pow(256,2) | eval thirdoctet=floor(remainder/pow(256,1)) | eval remainder=remainder-thirdoctet*pow(256,1) | eval src_ip=firstoctet+"."+secondoctet+"."+thirdoctet+"."+remainder

Help required. Thanks in advance.

SplunkTrust
SplunkTrust

There are several apps that give you search commands that will solve this problem now. Just google "splunkbase decimaltoip".

0 Karma

Explorer

Hi!
You could add this in props.conf (this is two lines, one for DestinationIP-field and one for ClientIP;

EVAL-dst = if(DestinationIP!=0,tostring(floor(if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)/16777216))+"."+tostring(floor((if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)-floor(if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)/16777216)*16777216)/65536))+"."+tostring(floor((if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)-(floor(if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)/16777216)*16777216+floor((if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)-floor(if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)/16777216)*16777216)/65536)*65536))/256))+"."+tostring(if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)-(floor(if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)/16777216)*16777216+floor((if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)-floor(if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)/16777216)*16777216)/65536)*65536+floor((if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)-(floor(if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)/16777216)*16777216+floor((if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)-floor(if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)/16777216)*16777216)/65536)*65536))/256)*256)),0)

EVAL-src = if(ClientIP!=0,tostring(floor(if(ClientIP<1,ClientIP+2147483648,ClientIP)/16777216))+"."+tostring(floor((if(ClientIP<1,ClientIP+2147483648,ClientIP)-floor(if(ClientIP<1,ClientIP+2147483648,ClientIP)/16777216)*16777216)/65536))+"."+tostring(floor((if(ClientIP<1,ClientIP+2147483648,ClientIP)-(floor(if(ClientIP<1,ClientIP+2147483648,ClientIP)/16777216)*16777216+floor((if(ClientIP<1,ClientIP+2147483648,ClientIP)-floor(if(ClientIP<1,ClientIP+2147483648,ClientIP)/16777216)*16777216)/65536)*65536))/256))+"."+tostring(if(ClientIP<1,ClientIP+2147483648,ClientIP)-(floor(if(ClientIP<1,ClientIP+2147483648,ClientIP)/16777216)*16777216+floor((if(ClientIP<1,ClientIP+2147483648,ClientIP)-floor(if(ClientIP<1,ClientIP+2147483648,ClientIP)/16777216)*16777216)/65536)*65536+floor((if(ClientIP<1,ClientIP+2147483648,ClientIP)-(floor(if(ClientIP<1,ClientIP+2147483648,ClientIP)/16777216)*16777216+floor((if(ClientIP<1,ClientIP+2147483648,ClientIP)-floor(if(ClientIP<1,ClientIP+2147483648,ClientIP)/16777216)*16777216)/65536)*65536))/256)*256)),0)

Revered Legend

You can only use one expression in one props.conf EVAL entry, not multiple expressions together. I believe, due to multiple expressions and their inter-dependency, this would be better implemented using search macro. See this for more details

http://docs.splunk.com/Documentation/Splunk/6.3.4/Knowledge/Usesearchmacros

0 Karma

SplunkTrust
SplunkTrust

Eval works different in props.conf ... has a different syntax and it's one eval per line... like below:

[sourcetypeName]
EVAL-evaluationNameOfYourChoice = x / y
EVAL-UniqueEvaluationNameOfYourChoice = x / 5
etc

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

SplunkTrust
SplunkTrust

Ok,

Since you cant do this in props.conf I wanted to provide you with a custom splunk search command to help you and anyone else with this task. The python script is called decimalToIPv4.py but you can name it whatever you like in your commands.conf.

http://pastebin.com/ESy12auk <- keeps syntax a bit better, but also pasting code below in case pastebin deletes the paste.

# splunk search command to give ipv4 equivalent of decimal ip field named src
# written by: Michael Bentley (michael@bentleypc.com)

import splunk.Intersplunk 
import splunk.mining.dcutils as dcu

# use splunk logger (sends to _internal index)
logger = dcu.getLogger()

try:
 # function to covert from decimal to ipv4
 def decimalToIPv4(results):
  for result in results:
   if result["src"]:  # change "src" to field name you desire if decimal ip is in different field
    decIP = int(result["src"])  # change "src" to field name you desire if decimal ip is in different field
    firstOctet = int(decIP/16777216)
    secondOctet = int((decIP-(firstOctet*16777216))/65536)
    thirdOctet = int((decIP-(firstOctet*16777216)-(secondOctet*65536))/ 256)
    fourthOctet = int((decIP-(firstOctet*16777216)-(secondOctet*65536)-(thirdOctet*256)))
    result["ipv4"] = str(firstOctet) + "." + str(secondOctet) + "." + str(thirdOctet) + "." + str(fourthOctet)
  return results

 # get the previous search results
 results,dummy,settings = splunk.Intersplunk.getOrganizedResults()

 # return the previous search results
 splunk.Intersplunk.outputResults(decimalToIPv4(results))

except Exception as e:
 logger.error(e)

So here's how to deploy it:
Copy the above into a file name decimalToIPv4.py and put the file in your splunk app's bin folder.
In the same splunk app's local folder, create a commands.conf that looks like this (or append this to your current commands.conf):

[decimaltoip] #this is the name of the command as it will be used in splunk
filename = decimalToIPv4.py

Make sure it has execute permisisons on the .py file and that the user splunk runs as has permission on the file as well.

Then use it in search like the photo below shows it (it creates a field named ipv4):

alt text

If you change the decimal ip field from src, you'll need to edit decimalToIPv4.py (lines 14 & 15)

0 Karma

SplunkTrust
SplunkTrust

@splunk_kk what do you think about my solution?

0 Karma

SplunkTrust
SplunkTrust

if you'll sit tight, i'm developing a custom splunk search command to do the job for you because you cant do the logic in props.conf because evals happen simultaneously and not sequentially.