Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does anyone have an idea how to make a bitwise AND operation for a high number of events in Splunk?

Berma
New Member
‎06-15-2023 01:34 AM

Hey all

The PAN-OS traffic log include a log field ‚flags‘

‚Flags‘ is a 32-Bit field that provide details on session. This field can be decoded with a bitwise AND operation.

E.g. you have to bitwise AND operate the value 0x01000000 to the logged value to know the a SSL session was decrypted.

 

I guess that I have to convert the logged hexadecimal value to decimal. That is no problem.

But the bitwise operation require to convert the value to a binary value and here I‘m stuck.

I don‘t manage to convert the value in binary for each event of the traffic logs.

That‘s why I not get to the point where to bitwiseand the logged value with a value provided by a list from Palo Alto Networks.

 

Does anyone have an idea how to make a bitwise AND operation for a high number of events in Splunk?

 

Labels (2)
Labels
0 Karma
Reply

Berma
New Member
‎06-15-2023 08:34 AM

This solution is working like a charm and an effective way to convert hex to bin. 

unfortunately I am now with the second part of the task, the bitwise AND

 

i tried 

eval = bwa ( bin1 * bin2)

e.g.
bin1 = 0000000000000000000000011011

bin2 = 0001000000000000000000000000

 

the expected result should be

0000000000000000000000000000

but the result from the eval function is

1101100000000000000000000000

maybe the detour via binary numbers is wrong approach or the operation not correct. 

do you have an idea?

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-15-2023 09:43 AM

If you just want the value of the 4th bit, use substr()

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-15-2023 01:51 AM 
| eval binary=replace(hex,"0","z")
| eval binary=replace(binary,"1","o")
| eval binary=replace(binary,"f","1111")
| eval binary=replace(binary,"e","1110")
...
| eval binary=replace(binary,"o","0001")
| eval binary=replace(binary,"z","0000")
0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...