Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

convert string to binary

khanlarloo
Explorer
‎06-10-2017 05:11 AM

hi
how can i convert string to the form of ip add.when i search the ip add it shows ip add in the form of string instead of ip add format.

is there any solution to convert string to binary format of ip add?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-13-2017 05:49 AM

Try this macro:

[IP32BitToDottedQuad(2)]
args = 32BitIP, newFieldName
definition = `comment("This creates a new field (the last arg) by converting \
a 32-bit packed IP address (the first arg) to Dotted-Quad format")` \
| rex field=$32BitIP$ "(?i)(?<JuNkT3Mp_1>[0-9A-F]{2})(?<JuNkT3Mp_2>[0-9A-F]{2})(?<JuNkT3Mp_3>[0-9A-F]{2})(?<JuNkT3Mp_4>[0-9A-F]{2})" \
| eval $newFieldName$ \
= tostring(tonumber(JuNkT3Mp_1,16)) + "." \
+ tostring(tonumber(JuNkT3Mp_2,16)) + "." \
+ tostring(tonumber(JuNkT3Mp_3,16)) + "." \
+ tostring(tonumber(JuNkT3Mp_4,16)) \
| eval $newFieldName$ = \
if((NOT match($newFieldName$, "Null")), $newFieldName$, "unconvertable") \
| fields - JuNkT3Mp_*
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-10-2017 10:30 AM

I'll just convert the quad string representation to the numeric address. After this, you can decide which representation to use for this value.

| regex field=ip "(?<quad4>\d+)\.(?<quad3>\d+)\.(?<quad2>\d+)\.(?<quad1>\d+)"
| eval NumericIP=quad4*pow(2,24) + quad3*pow(2,16) + quad2*pow(2,8) + quad1

There is no printf conversion to convert this numeric value into a binary representation, so you'll have to write your own using / and %.

0 Karma
Reply

maciep
Champion
‎06-10-2017 05:28 AM

do you have any example data you can share? And/Or could you elaborate a bit? What is the difference between the string representation and the IP address form?

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-10-2017 10:13 AM

I think it means to convert a quad format string representation of the numeric IP address into a binary representation of the numeric value. For example, the numeric value of 255.0.0.1 is 255*2^24 + 0*2^16 + 0*2^8 + 1*2 = (dec)4278190081 = (bin)11111111000000000000000000000001. Sometimes it is useful to use decimal string or hexadecimal string of the address value, but I really don't see what benefit could it be to use a binary string representation.

0 Karma
Reply

khanlarloo
Explorer
‎06-10-2017 05:36 AM

you can find a sample log file below

"May 13 17:55:05 192.168.10.16 May 13 17:55:05 wsm-2 attack: risk=Low, event=""Backend error"", proxy=""both://gsh:443"", proxy_id=31, log_id=3545324, source=""81.91.144.51"", violation=""General request violation"", path=""/content/assets/css/byekan.woff"", method=""GET"", node=""wsm-2.rb.snig.armandata.net"", action=""Allow"", time=""May 13 17:54:58 2017""","2017-05-13T17:55:05.000+0430",Allow,"81.91.144.51",17,13,55,may,5,saturday,2017,local,"Backend error",,,"192.168.10.16",main,1,3545324,GET,"wsm-2.rb.snig.armandata.net",,"/content/assets/css/byekan.woff",,attack,,"both://gsh:443",31,"::_...::-:=,="""",=""://..:"",=,=,=""...""",Low,"udp:514",syslog,SIEM,,,,"May 13 17:54:58 2017",15,0,,"General request violation"

as you see the source field contains IP address that i want extract it.
and use it in Choropleth Map
how can i do that.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top