Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does anyone have an idea how to make a bitwise AND operation for a high number of events in Splunk?

Berma
New Member
‎06-15-2023 01:34 AM

Hey all

The PAN-OS traffic log include a log field ‚flags‘

‚Flags‘ is a 32-Bit field that provide details on session. This field can be decoded with a bitwise AND operation.

E.g. you have to bitwise AND operate the value 0x01000000 to the logged value to know the a SSL session was decrypted.

 

I guess that I have to convert the logged hexadecimal value to decimal. That is no problem.

But the bitwise operation require to convert the value to a binary value and here I‘m stuck.

I don‘t manage to convert the value in binary for each event of the traffic logs.

That‘s why I not get to the point where to bitwiseand the logged value with a value provided by a list from Palo Alto Networks.

 

Does anyone have an idea how to make a bitwise AND operation for a high number of events in Splunk?

 

Labels (2)
Labels
0 Karma
Reply

Berma
New Member
‎06-15-2023 08:34 AM

This solution is working like a charm and an effective way to convert hex to bin. 

unfortunately I am now with the second part of the task, the bitwise AND

 

i tried 

eval = bwa ( bin1 * bin2)

e.g.
bin1 = 0000000000000000000000011011

bin2 = 0001000000000000000000000000

 

the expected result should be

0000000000000000000000000000

but the result from the eval function is

1101100000000000000000000000

maybe the detour via binary numbers is wrong approach or the operation not correct. 

do you have an idea?

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-15-2023 09:43 AM

If you just want the value of the 4th bit, use substr()

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-15-2023 01:51 AM 
| eval binary=replace(hex,"0","z")
| eval binary=replace(binary,"1","o")
| eval binary=replace(binary,"f","1111")
| eval binary=replace(binary,"e","1110")
...
| eval binary=replace(binary,"o","0001")
| eval binary=replace(binary,"z","0000")
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...