Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Bitfield lookup

sbsbb
Builder
‎12-02-2013 02:15 AM

I have a field in the logs, that is a Bit-field.
Is there a way, a function to translate those field in a human readable mvfield ?

Here is a bitfield translation example :
1 test1
2 test2
4 test3
8 test4

What I would like, is a way to translate "3" in "test1,test2)

I would enjoy a | bitlookup bittranslation.csv bitfield
But I guess I would have seen it already, if there were one 😉

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sciurus
Path Finder
‎12-02-2013 01:27 PM

Extract using math:

  • divide by 2^n to shift the value right by n bits
  • modulo by 2 to get the low bit

|stats count | eval bitfield = 5 | eval numfield1=(bitfield % 2) | eval numfield2 = floor(bitfield / 2) % 2 | eval numfield3 = floor(bitfield / 4) % 2

or...

Extracting with a CSV:

|stats count | eval bitfield = 5 | lookup bitlookup.csv bitfield OUTPUT bitnames | makemv delim="|" bitnames

$ cat bitlookup.csv

bitfield,bitnames
0,b0
1,b1
2,b2
3,b1|b2
4,b4
5,b1|b4
6,b2|b4
7,b1|b2|b4
8,b8
9,b1|b8
10,b2|b8
11,b1|b2|b8
12,b4|b8
13,b1|b4|b8
14,b2|b4|b8
15,b1|b2|b4|b8

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sciurus
Path Finder
‎12-02-2013 01:27 PM

Extract using math:

  • divide by 2^n to shift the value right by n bits
  • modulo by 2 to get the low bit

|stats count | eval bitfield = 5 | eval numfield1=(bitfield % 2) | eval numfield2 = floor(bitfield / 2) % 2 | eval numfield3 = floor(bitfield / 4) % 2

or...

Extracting with a CSV:

|stats count | eval bitfield = 5 | lookup bitlookup.csv bitfield OUTPUT bitnames | makemv delim="|" bitnames

$ cat bitlookup.csv

bitfield,bitnames
0,b0
1,b1
2,b2
3,b1|b2
4,b4
5,b1|b4
6,b2|b4
7,b1|b2|b4
8,b8
9,b1|b8
10,b2|b8
11,b1|b2|b8
12,b4|b8
13,b1|b4|b8
14,b2|b4|b8
15,b1|b2|b4|b8
0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎12-02-2013 02:42 AM

Use MATH

bitfield = 2^(x-1)

(because your first bitfield is not 0 but 1, hence the x-1 instead of x)
So,

x-1 = log2(bitfield)

And finally

x = log2(bitfield)+1

So when bitfield is 8, log2(bitfield) is 3, and so x = 3+1 = 4.

eval has the log(number,base) function that you can use for doing this.

... | eval numfield=log(bitfield,2)+1
Reply
Solved! Jump to solution

sbsbb
Builder
‎12-02-2013 09:13 AM

If I have a bit field set to 3, that means that I have the bit 1 and 2 set. That why I need a function to check what bits are set

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎12-02-2013 05:48 AM

Well my understanding of the bitfield is that it would always be a 2 exponent? So it'd follow the pattern 1,2,4,8,16,32,...

In that case bitfield will never be 3.

0 Karma
Reply
Solved! Jump to solution

sbsbb
Builder
‎12-02-2013 05:38 AM

I'm not sure to understand,
I've tried
|stats count | eval bitfield=3 | eval numfield=log(bitfield,2)+1

and I get numfield=2.58

I would need something like numfield=(1;2)..

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...