Re: convert string to binary

khanlarloo · ‎06-10-2017

hi
how can i convert string to the form of ip add.when i search the ip add it shows ip add in the form of string instead of ip add format.

is there any solution to convert string to binary format of ip add?

woodcock · ‎06-13-2017

Try this macro:

[IP32BitToDottedQuad(2)]
args = 32BitIP, newFieldName
definition = `comment("This creates a new field (the last arg) by converting \
a 32-bit packed IP address (the first arg) to Dotted-Quad format")` \
| rex field=$32BitIP$ "(?i)(?<JuNkT3Mp_1>[0-9A-F]{2})(?<JuNkT3Mp_2>[0-9A-F]{2})(?<JuNkT3Mp_3>[0-9A-F]{2})(?<JuNkT3Mp_4>[0-9A-F]{2})" \
| eval $newFieldName$ \
= tostring(tonumber(JuNkT3Mp_1,16)) + "." \
+ tostring(tonumber(JuNkT3Mp_2,16)) + "." \
+ tostring(tonumber(JuNkT3Mp_3,16)) + "." \
+ tostring(tonumber(JuNkT3Mp_4,16)) \
| eval $newFieldName$ = \
if((NOT match($newFieldName$, "Null")), $newFieldName$, "unconvertable") \
| fields - JuNkT3Mp_*

yuanliu · ‎06-10-2017

I'll just convert the quad string representation to the numeric address. After this, you can decide which representation to use for this value.

| regex field=ip "(?<quad4>\d+)\.(?<quad3>\d+)\.(?<quad2>\d+)\.(?<quad1>\d+)"
| eval NumericIP=quad4*pow(2,24) + quad3*pow(2,16) + quad2*pow(2,8) + quad1

There is no printf conversion to convert this numeric value into a binary representation, so you'll have to write your own using / and %.

maciep · ‎06-10-2017

do you have any example data you can share? And/Or could you elaborate a bit? What is the difference between the string representation and the IP address form?

yuanliu · ‎06-10-2017

I think it means to convert a quad format string representation of the numeric IP address into a binary representation of the numeric value. For example, the numeric value of 255.0.0.1 is 255*2^24 + 0*2^16 + 0*2^8 + 1*2 = (dec)4278190081 = (bin)11111111000000000000000000000001. Sometimes it is useful to use decimal string or hexadecimal string of the address value, but I really don't see what benefit could it be to use a binary string representation.

khanlarloo · ‎06-10-2017

you can find a sample log file below

"May 13 17:55:05 192.168.10.16 May 13 17:55:05 wsm-2 attack: risk=Low, event=""Backend error"", proxy=""both://gsh:443"", proxy_id=31, log_id=3545324, source=""81.91.144.51"", violation=""General request violation"", path=""/content/assets/css/byekan.woff"", method=""GET"", node=""wsm-2.rb.snig.armandata.net"", action=""Allow"", time=""May 13 17:54:58 2017""","2017-05-13T17:55:05.000+0430",Allow,"81.91.144.51",17,13,55,may,5,saturday,2017,local,"Backend error",,,"192.168.10.16",main,1,3545324,GET,"wsm-2.rb.snig.armandata.net",,"/content/assets/css/byekan.woff",,attack,,"both://gsh:443",31,"::_...::-:=,="""",=""://..:"",=,=,=""...""",Low,"udp:514",syslog,SIEM,,,,"May 13 17:54:58 2017",15,0,,"General request violation"

as you see the source field contains IP address that i want extract it.
and use it in Choropleth Map
how can i do that.

convert string to binary

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies