Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does anyone have an idea how to make a bitwise AND operation for a high number of events in Splunk?

Berma
New Member
‎06-15-2023 01:34 AM

Hey all

The PAN-OS traffic log include a log field ‚flags‘

‚Flags‘ is a 32-Bit field that provide details on session. This field can be decoded with a bitwise AND operation.

E.g. you have to bitwise AND operate the value 0x01000000 to the logged value to know the a SSL session was decrypted.

 

I guess that I have to convert the logged hexadecimal value to decimal. That is no problem.

But the bitwise operation require to convert the value to a binary value and here I‘m stuck.

I don‘t manage to convert the value in binary for each event of the traffic logs.

That‘s why I not get to the point where to bitwiseand the logged value with a value provided by a list from Palo Alto Networks.

 

Does anyone have an idea how to make a bitwise AND operation for a high number of events in Splunk?

 

Labels (2)
Labels
0 Karma
Reply

Berma
New Member
‎06-15-2023 08:34 AM

This solution is working like a charm and an effective way to convert hex to bin. 

unfortunately I am now with the second part of the task, the bitwise AND

 

i tried 

eval = bwa ( bin1 * bin2)

e.g.
bin1 = 0000000000000000000000011011

bin2 = 0001000000000000000000000000

 

the expected result should be

0000000000000000000000000000

but the result from the eval function is

1101100000000000000000000000

maybe the detour via binary numbers is wrong approach or the operation not correct. 

do you have an idea?

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-15-2023 09:43 AM

If you just want the value of the 4th bit, use substr()

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-15-2023 01:51 AM 
| eval binary=replace(hex,"0","z")
| eval binary=replace(binary,"1","o")
| eval binary=replace(binary,"f","1111")
| eval binary=replace(binary,"e","1110")
...
| eval binary=replace(binary,"o","0001")
| eval binary=replace(binary,"z","0000")
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...