Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Convert IPv4 Addresses to decimal

Travlin1
Engager
Wednesday

Hello everyone!

I most likely could solve this problem if given enough time, but always seem to never have enough 🙃.  Within Enterprise security we pull asset information via LDAPsearch into our ES instance hosted in Splunk Cloud. Within the cn=* field, multiplies for both IP and hostnames. We aim for host fields to be either hostname or nt_host. some of these values though are written as such:

cn=192_168_1_1

 

I want to evaluate the existing field and output them as normal decimals when seen. I am assuming I would need an if statement keeping intact hostname values while else performing the conversion. I am not at computer right now but will update with some data and my progress thus far.

 

Thanks!

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
Wednesday

Something like this?

| makeresults format=csv data="hostname
cn=192_168_1_1
cn=myhost
otherhostnane"
| rex field=hostname "cn=(?<ipAddr>\d{1,3}[._]\d{1,3}[._]\d{1,3}[._]\d{1,3})"
| eval hostname=coalesce(replace(ipAddr, "_", "."), hostname)

View solution in original post

Reply
Solved! Jump to solution

Travlin1
Engager
Thursday

thanks @bowesmana @sainag_splunk ,

I tried both and results were near same! Sinece the CN field is already extracted I modified the search like this....

base search ....   | rex field=cn "(?<ipAddr>\d{1,3}[._]\d{1,3}[._]\d{1,3}[._]\d{1,3})"
| eval cn = coalesce(replace(ipAddr, "_", "."), cn)


In case anyone runs into this thread later. 

Much appreciated!

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
Wednesday

Something like this?

| makeresults format=csv data="hostname
cn=192_168_1_1
cn=myhost
otherhostnane"
| rex field=hostname "cn=(?<ipAddr>\d{1,3}[._]\d{1,3}[._]\d{1,3}[._]\d{1,3})"
| eval hostname=coalesce(replace(ipAddr, "_", "."), hostname)
Reply
Solved! Jump to solution

sainag_splunk
Splunk Employee
Splunk Employee
Wednesday

@Travlin1 something like this?

 

| makeresults
| eval cn=mvappend(
"192_168_1_1",
"10_0_0_5",
"webserver-prod01",
"172_16_32_1",
"database.example.com",
"192_168_0_badformat",
"dev_server_01"
)
| mvexpand cn
| eval converted_host=case(
match(cn, "^\d+_\d+_\d+_\d+$"),
replace(cn, "_", "."),
true(),
cn
)
| eval host_type=case(
match(cn, "^\d+_\d+_\d+_\d+$"),
"ip_address",
true(),
"hostname"
)
| table cn, converted_host, host_type

 

 

 

 

If this helps, Please Upvote.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...