Splunk Dev

convert string to binary

khanlarloo
Explorer

hi
how can i convert string to the form of ip add.when i search the ip add it shows ip add in the form of string instead of ip add format.

is there any solution to convert string to binary format of ip add?

Tags (1)
0 Karma

woodcock
Esteemed Legend

Try this macro:

[IP32BitToDottedQuad(2)]
args = 32BitIP, newFieldName
definition = `comment("This creates a new field (the last arg) by converting \
a 32-bit packed IP address (the first arg) to Dotted-Quad format")` \
| rex field=$32BitIP$ "(?i)(?<JuNkT3Mp_1>[0-9A-F]{2})(?<JuNkT3Mp_2>[0-9A-F]{2})(?<JuNkT3Mp_3>[0-9A-F]{2})(?<JuNkT3Mp_4>[0-9A-F]{2})" \
| eval $newFieldName$ \
= tostring(tonumber(JuNkT3Mp_1,16)) + "." \
+ tostring(tonumber(JuNkT3Mp_2,16)) + "." \
+ tostring(tonumber(JuNkT3Mp_3,16)) + "." \
+ tostring(tonumber(JuNkT3Mp_4,16)) \
| eval $newFieldName$ = \
if((NOT match($newFieldName$, "Null")), $newFieldName$, "unconvertable") \
| fields - JuNkT3Mp_*
0 Karma

yuanliu
SplunkTrust
SplunkTrust

I'll just convert the quad string representation to the numeric address. After this, you can decide which representation to use for this value.

| regex field=ip "(?<quad4>\d+)\.(?<quad3>\d+)\.(?<quad2>\d+)\.(?<quad1>\d+)"
| eval NumericIP=quad4*pow(2,24) + quad3*pow(2,16) + quad2*pow(2,8) + quad1

There is no printf conversion to convert this numeric value into a binary representation, so you'll have to write your own using / and %.

0 Karma

maciep
Champion

do you have any example data you can share? And/Or could you elaborate a bit? What is the difference between the string representation and the IP address form?

0 Karma

yuanliu
SplunkTrust
SplunkTrust

I think it means to convert a quad format string representation of the numeric IP address into a binary representation of the numeric value. For example, the numeric value of 255.0.0.1 is 255*2^24 + 0*2^16 + 0*2^8 + 1*2 = (dec)4278190081 = (bin)11111111000000000000000000000001. Sometimes it is useful to use decimal string or hexadecimal string of the address value, but I really don't see what benefit could it be to use a binary string representation.

0 Karma

khanlarloo
Explorer

you can find a sample log file below

"May 13 17:55:05 192.168.10.16 May 13 17:55:05 wsm-2 attack: risk=Low, event=""Backend error"", proxy=""both://gsh:443"", proxy_id=31, log_id=3545324, source=""81.91.144.51"", violation=""General request violation"", path=""/content/assets/css/byekan.woff"", method=""GET"", node=""wsm-2.rb.snig.armandata.net"", action=""Allow"", time=""May 13 17:54:58 2017""","2017-05-13T17:55:05.000+0430",Allow,"81.91.144.51",17,13,55,may,5,saturday,2017,local,"Backend error",,,"192.168.10.16",main,1,3545324,GET,"wsm-2.rb.snig.armandata.net",,"/content/assets/css/byekan.woff",,attack,,"both://gsh:443",31,"::_...::-:=,="""",=""://..:"",=,=,=""...""",Low,"udp:514",syslog,SIEM,,,,"May 13 17:54:58 2017",15,0,,"General request violation"

as you see the source field contains IP address that i want extract it.
and use it in Choropleth Map
how can i do that.

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...