Logged output is like:
... ip: 0xAABBCCDD, ...
I'd like to convert the AABBCCDD to 170.187.204.221, and map the locations.
I'm currently doing:
sourcetype=MySource daysago=1 | rex field=_raw "(?i)0x(?P
Any more efficient method of doing the conversion?
Thanks.
One thing that will probably make it more efficient is to reduce the number of operations:
... | rex "(?i)0x(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})"
| eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16)) | geoip ip
Since the geoip command is converting the IP back to an integer, it might be a good idea to extend the command to allow the processing of integer values directly. I'll probably add this in the future.
One thing that will probably make it more efficient is to reduce the number of operations:
... | rex "(?i)0x(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})"
| eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16)) | geoip ip
Since the geoip command is converting the IP back to an integer, it might be a good idea to extend the command to allow the processing of integer values directly. I'll probably add this in the future.
I tried some sample events myself and it looks like you have a pretty good solution here.