Hello @tscroggins ,
   Thanks for your reply!

   I'm having this error - "Error in 'EvalCommand': The 'bit_shift_right' function is unsupported or undefined."

Can you help in resolving this error.

Thanks in Advance!

Here's an alternative that uses a few helper macros to replace the bitwise eval functions. Bit rotate functions would be a nice addition to Splunk, as would a parameter on all bitwise functions to specify width.

| makeresults
| eval HEX_Code="0002"
``` convert to number ```
| eval x=tonumber(HEX_Code, 16)
``` swap bytes ```
| eval t=`bitshl(x, 8)`, x=`bitshr(x, 8)`+`bitand_16(t, 65280)`
``` calculate number of trailing zeros (ntz) ```
| eval t=65535-x+1, y=`bitand_16(x, t)`
| eval bz=if(y>0, 0, 1), b3=if(`bitand_16(y, 255)`>0, 0, 8), b2=if(`bitand_16(y, 3855)`>0, 0, 4), b1=if(`bitand_16(y, 13107)`>0, 0, 2), b0=if(`bitand_16(y, 21845)`>0, 0, 1)
| eval ntz=bz+b3+b2+b1+b0
``` ntz=9 ```

# macros.conf

[bitand_16(2)]
args = x, y
definition = sum(1 * (floor($x$ / 1) % 2) * (floor($y$ / 1) % 2), 2 * (floor($x$ / 2) % 2) * (floor($y$ / 2) % 2), 4 * (floor($x$ / 4) % 2) * (floor($y$ / 4) % 2), 8 * (floor($x$ / 😎 % 2) * (floor($y$ / 😎 % 2), 16 * (floor($x$ / 16) % 2) * (floor($y$ / 16) % 2), 32 * (floor($x$ / 32) % 2) * (floor($y$ / 32) % 2), 64 * (floor($x$ / 64) % 2) * (floor($y$ / 64) % 2), 128 * (floor($x$ / 128) % 2) * (floor($y$ / 128) % 2), 256 * (floor($x$ / 256) % 2) * (floor($y$ / 256) % 2), 512 * (floor($x$ / 512) % 2) * (floor($y$ / 512) % 2), 1024 * (floor($x$ / 1024) % 2) * (floor($y$ / 1024) % 2), 2048 * (floor($x$ / 2048) % 2) * (floor($y$ / 2048) % 2), 4096 * (floor($x$ / 4096) % 2) * (floor($y$ / 4096) % 2), 8192 * (floor($x$ / 8192) % 2) * (floor($y$ / 8192) % 2), 16384 * (floor($x$ / 16384) % 2) * (floor($y$ / 16384) % 2), 32768 * (floor($x$ / 32768) % 2) * (floor($y$ / 32768) % 2))
iseval = 0

[bitshl(2)]
args = x, k
definition = floor(pow(2, $k$) * $x$)
iseval = 0

[bitshr(2)]
args = x, k
definition = floor(pow(2, -$k$) * $x$)
iseval = 0

bit-wise functions only came into Splunk Enterprise in 9.2.0 and in 9.1 in Cloud Services (according to the documentation) - which version of Splunk are you using?

@yuanliu 01100011 was _not_ hex. It was binary for 0x63. That's why I'm completely confused by @smanojkumar 's explanation as to how the algorithm is supposed to work. Does it work on 16-bit integers only? Does it work on any length stream of data? Does it always produce 32-bit integers? Or does the result grow with the length of the argument? It's so badly specified...

Hi @yuanliu & @ITWhisperer  & @tscroggins  & @PickleRick  & @dural_yyz ,

    Thanks everyone for your time, it works for me.

Thanks in Advance!

Hello @yuanliu ,
   Thanks for your response!

    I'm having this error "Error in 'EvalCommand': The arguments to the 'tostring' function are invalid.", can you please help me in this.


Thanks in advance!

"binary" only came into Splunk Enterprise in 9.2.0 and doesn't appear to be in Cloud Services yet (according to the documentation)

Hello @ITWhisperer ,
   Thanks for that.
   I'm currebtly using Splunk Enterprise with Version 9.1.1, So thats the reason.

   Any alternative way to work on this with this version?

Thanks for pointing it out.

regards,
Manoj Kumar S

Having converted the number to hex, perform 16 replacements, starting with 0, then 1, replacing the hex digit with the corresponding binary equivalent.

Hello @ITWhisperer ,

   Thanks for your resposne!

   If you don't mind changing the code as well.

Thansk a lot for your resposne!

Here are the first four, I am sure you can workout from this how to do the other 12 hex digits

| eval ASbinary=if(idx < 1, replace(replace(replace(replace(reverse2hex,"0","0000"),"1","0001"),"2","0010"),"3","0011"), mvmap(reverse2hex, replace(replace(replace(replace(reverse2hex,"0","0000"),"1","0001"),"2","0010"),"3","0011")))

Hi @ITWhisperer ,

   Thanks, It works on that place.

Nice job. I'm stil not convinced it's how it was supposed to work 😉

Hello @PickleRick ,

   Sorry for the mistake!

   I have edited in the post,

Considering 0*63 is 01100011

Seperating the byte as with 2positions

byte 0 - 01 -> 0000 0001
byte 1 - 10 -> 0001 0000
byte 2 - 00 -> 0000 0000
byte 3 - 11 -> 0001 0001

Combining it byte 3 byte 2 byte 1 byte 0 - 0001 0001 0000 0000 0001 0000 0000 0001

Counting the non zero postions  - 0, 12, 24, 28

These were the answers.

please let me know if there are anything.

Thanks in advance!

OK. Fully honestly, I don't see the point in doing so. You're adding some synthetic zeros and then count something which will easily be divisible by 4 (because when you're preparing your bitstring he ones must be separated by multiplies of 4).

You're doing some strange bit swapping (and it's completely inconsistent - your original example had something that resembled a 16-bits little-endian integer which you "converted" to 32-bit value and from my single bit 0x63 value you also built a 32-bit value but obviously in a different way).

So, to be absolutely frank, it doesn't make much sense.

A completely separate thing is why would you want to do it in splunk? (actually the easiest solution could be to implement an external lookup using a python script).