Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Bitfield lookup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a field in the logs, that is a Bit-field.
Is there a way, a function to translate those field in a human readable mvfield ?
Here is a bitfield translation example :
1 test1
2 test2
4 test3
8 test4
What I would like, is a way to translate "3" in "test1,test2)
I would enjoy a | bitlookup bittranslation.csv bitfield
But I guess I would have seen it already, if there were one 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extract using math:
- divide by 2^n to shift the value right by n bits
- modulo by 2 to get the low bit
|stats count | eval bitfield = 5 | eval numfield1=(bitfield % 2) | eval numfield2 = floor(bitfield / 2) % 2 | eval numfield3 = floor(bitfield / 4) % 2
or...
Extracting with a CSV:
|stats count | eval bitfield = 5 | lookup bitlookup.csv bitfield OUTPUT bitnames | makemv delim="|" bitnames
$ cat bitlookup.csv
bitfield,bitnames
0,b0
1,b1
2,b2
3,b1|b2
4,b4
5,b1|b4
6,b2|b4
7,b1|b2|b4
8,b8
9,b1|b8
10,b2|b8
11,b1|b2|b8
12,b4|b8
13,b1|b4|b8
14,b2|b4|b8
15,b1|b2|b4|b8
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extract using math:
- divide by 2^n to shift the value right by n bits
- modulo by 2 to get the low bit
|stats count | eval bitfield = 5 | eval numfield1=(bitfield % 2) | eval numfield2 = floor(bitfield / 2) % 2 | eval numfield3 = floor(bitfield / 4) % 2
or...
Extracting with a CSV:
|stats count | eval bitfield = 5 | lookup bitlookup.csv bitfield OUTPUT bitnames | makemv delim="|" bitnames
$ cat bitlookup.csv
bitfield,bitnames
0,b0
1,b1
2,b2
3,b1|b2
4,b4
5,b1|b4
6,b2|b4
7,b1|b2|b4
8,b8
9,b1|b8
10,b2|b8
11,b1|b2|b8
12,b4|b8
13,b1|b4|b8
14,b2|b4|b8
15,b1|b2|b4|b8
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use MATH
bitfield = 2^(x-1)
(because your first bitfield is not 0 but 1, hence the x-1 instead of x)
So,
x-1 = log2(bitfield)
And finally
x = log2(bitfield)+1
So when bitfield is 8, log2(bitfield) is 3, and so x = 3+1 = 4.
eval has the log(number,base) function that you can use for doing this.
... | eval numfield=log(bitfield,2)+1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I have a bit field set to 3, that means that I have the bit 1 and 2 set. That why I need a function to check what bits are set
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well my understanding of the bitfield is that it would always be a 2 exponent? So it'd follow the pattern 1,2,4,8,16,32,...
In that case bitfield will never be 3.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure to understand,
I've tried
|stats count | eval bitfield=3 | eval numfield=log(bitfield,2)+1
and I get numfield=2.58
I would need something like numfield=(1;2)..
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
