Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Bitfield lookup

sbsbb
Builder
‎12-02-2013 02:15 AM

I have a field in the logs, that is a Bit-field.
Is there a way, a function to translate those field in a human readable mvfield ?

Here is a bitfield translation example :
1 test1
2 test2
4 test3
8 test4

What I would like, is a way to translate "3" in "test1,test2)

I would enjoy a | bitlookup bittranslation.csv bitfield
But I guess I would have seen it already, if there were one 😉

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sciurus
Path Finder
‎12-02-2013 01:27 PM

Extract using math:

  • divide by 2^n to shift the value right by n bits
  • modulo by 2 to get the low bit

|stats count | eval bitfield = 5 | eval numfield1=(bitfield % 2) | eval numfield2 = floor(bitfield / 2) % 2 | eval numfield3 = floor(bitfield / 4) % 2

or...

Extracting with a CSV:

|stats count | eval bitfield = 5 | lookup bitlookup.csv bitfield OUTPUT bitnames | makemv delim="|" bitnames

$ cat bitlookup.csv

bitfield,bitnames
0,b0
1,b1
2,b2
3,b1|b2
4,b4
5,b1|b4
6,b2|b4
7,b1|b2|b4
8,b8
9,b1|b8
10,b2|b8
11,b1|b2|b8
12,b4|b8
13,b1|b4|b8
14,b2|b4|b8
15,b1|b2|b4|b8

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sciurus
Path Finder
‎12-02-2013 01:27 PM

Extract using math:

  • divide by 2^n to shift the value right by n bits
  • modulo by 2 to get the low bit

|stats count | eval bitfield = 5 | eval numfield1=(bitfield % 2) | eval numfield2 = floor(bitfield / 2) % 2 | eval numfield3 = floor(bitfield / 4) % 2

or...

Extracting with a CSV:

|stats count | eval bitfield = 5 | lookup bitlookup.csv bitfield OUTPUT bitnames | makemv delim="|" bitnames

$ cat bitlookup.csv

bitfield,bitnames
0,b0
1,b1
2,b2
3,b1|b2
4,b4
5,b1|b4
6,b2|b4
7,b1|b2|b4
8,b8
9,b1|b8
10,b2|b8
11,b1|b2|b8
12,b4|b8
13,b1|b4|b8
14,b2|b4|b8
15,b1|b2|b4|b8
0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎12-02-2013 02:42 AM

Use MATH

bitfield = 2^(x-1)

(because your first bitfield is not 0 but 1, hence the x-1 instead of x)
So,

x-1 = log2(bitfield)

And finally

x = log2(bitfield)+1

So when bitfield is 8, log2(bitfield) is 3, and so x = 3+1 = 4.

eval has the log(number,base) function that you can use for doing this.

... | eval numfield=log(bitfield,2)+1
Reply
Solved! Jump to solution

sbsbb
Builder
‎12-02-2013 09:13 AM

If I have a bit field set to 3, that means that I have the bit 1 and 2 set. That why I need a function to check what bits are set

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎12-02-2013 05:48 AM

Well my understanding of the bitfield is that it would always be a 2 exponent? So it'd follow the pattern 1,2,4,8,16,32,...

In that case bitfield will never be 3.

0 Karma
Reply
Solved! Jump to solution

sbsbb
Builder
‎12-02-2013 05:38 AM

I'm not sure to understand,
I've tried
|stats count | eval bitfield=3 | eval numfield=log(bitfield,2)+1

and I get numfield=2.58

I would need something like numfield=(1;2)..

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...