Splunk Search

## Bitwise workaround

Path Finder

I have a field StreamId=0x12da3b7514f19ce7
I want to do this:
(StreamId >> 😎 & 0xFFFFFFFF

I know I can /256 to shift 8, but I'm trying for a one-liner without any custom macros or search commands.

Without an extensive eval/if(if(if(if(...

Any suggestions?

Thanks,

Bob

Tags (2)
Path Finder

| rex field=StreamId "0x(?<oct4>\S{2})(?<oct3>\S{2})(?<oct2>\S{2})(?<oct1>\S{2})(?<engine>\S{2})"

| eval oct1=tonumber(oct1, 16)

| eval oct2=tonumber(oct2, 16)

| eval oct3=tonumber(oct3, 16)

| eval oct4=tonumber(oct4, 16)

| eval Engine=tonumber(engine, 16)

| eval Machine=oct1.".".oct2.".".oct3.".".oct4

This worked for me, now I just need to | nslookup. Thanks for the input.

SplunkTrust

Yes, it's code - but this would probably be a good place for a dynamic lookup. Your lookup could perform the bitwise operations and return a new field with the new value.

SplunkTrust

I don't think splunk does bitwise operations. After all, for bitwise operations you first need an agreement on how a number looks like in bits, and that doesn't feel splunky.

However, you can shimmy your way around that with a bit of maths. You already said how shifting is nothing else than dividing by a power of two and then flooring the result, that's the first step. Second, a bitwise and throwing out a number of starting bits and keeping all the bits after that is nothing other than a modulo operation. For instance 0x123 & 0xff is 0x23, yes? Going decimal, 0x123 is 291, doing 291 % 256 yields 35 - which is 0x23.

Get Updates on the Splunk Community!

#### .conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

#### Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

#### Troubleshooting the OpenTelemetry Collector

In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...