Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Converting a field value from Hexadecimal to Decimal...

Steve_Litras
Path Finder
‎06-04-2010 08:27 PM

This may end up being a dumb question, but my regex/sed mojo is not strong today...

I have 2 log files monitored that each refer to a "common" error code, but of course, one of them reports that code as a hex number, and the other reports it as the decimal representation of the same number (nothing like coding consistency!). I pull them each in as a separate sourcetype, and I want to be able to correlate across both sourcetypes, so I want to convert one of the two to match the other (so they're both hex or both dec - don't really care which). I'm planning on doing this as a SEDCMD- entry in transforms.conf, but can't figure out if I can do that - I know I can do it at search time with eval and tostring(), but I really want the field extracted and converted @ index time.

Any thoughts?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-05-2010 03:24 AM

At index time, you can only run regexes. I suppose if your life depended on it you could just enumerate the finite number of codes and SEDCMD each one, but seems much better to just do it at search time. If it's an issue of searching for the error codes, I'd suggest a search macro that would perform an eval on the macro argument (say, in decimal), figures out the hex equivalent and replaces the macro with an OR clause on both values.

View solution in original post

Reply
Solved! Jump to solution

Lowell
Super Champion
‎10-07-2010 01:50 PM

In Splunk 4.1.5 there is a new eval function called tonumber() which can be used to convert a hex value back to a decimal (based-10) value.

| eval dec_field=tostring(hex_field, 16)

Prior to 4.1.5 you have to do hex->dec conversions using and add-on search command; there was no way to do it out of the box.

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-05-2010 03:24 AM

At index time, you can only run regexes. I suppose if your life depended on it you could just enumerate the finite number of codes and SEDCMD each one, but seems much better to just do it at search time. If it's an issue of searching for the error codes, I'd suggest a search macro that would perform an eval on the macro argument (say, in decimal), figures out the hex equivalent and replaces the macro with an OR clause on both values.

Reply
Solved! Jump to solution

Lowell
Super Champion
‎06-04-2010 09:19 PM

You can't really use regexes to do hex/dec conversion, so I don't think the SEDCMD option will work. (Maybe you could pull it off with multiple SEDCMD steps if you had just a 2 digit hex string, but even so that's still lots of overhead.)

There is a hexdec app out there written for 3.x. But upgrading it to 4.x is just a matter of getting the metdata setup. It converts both to and from hexadecimal and decimal.

I really do wish splunk would allow some way of handling this out of the box.

Reply
Solved! Jump to solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎06-04-2010 08:39 PM

There's no good way to convert from hex to decimal at index time. I'd suggest sticking to search time evaluation.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...