I've got a log that includes an obfuscated IP address. The source takes dotted decimal, reverses the order of the octets, converts them to binary, concatenates them, and then converts to decimal.
10.9.8.7 is turned around:
7 8 9 10
Then the octets are changed to binary:
00000111 00001000 00001001 00001010
Then all smashed together:
Then converted to a decimal number:
And that's what I get in the log. Are there any fun tools in Splunk that would help? If the set were limited, I could just use a lookup table.
OK - This is what worked:
| eval ip=if(encip<1,encip+2147483648,enc_ip) | eval aaa=floor(ip/16777216) | eval bbb=floor((ip-aaa*16777216)/65536) | eval ccc=floor((ip-(aaa*16777216+bbb*65536))/256)| eval ddd=ip-(aaa*16777216+bbb*65536+ccc*256) | eval ipv4=tostring(ddd)+"."+tostring(ccc)+"."+tostring(bbb)+"."+tostring(aaa)
I adapted this from http://answers.splunk.com/answers/38750/how-to-convert-ip
What if you want to match the ip against another CSV file to see if it falls in the range?
looks like this
(( 3743019008, -----> this is actually 188.8.131.52 if converted to IP format
3743020031, -----> range end 184.108.40.206