Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does anyone have an idea how to make a bitwise AND operation for a high number of events in Splunk?

Berma
New Member
‎06-15-2023 01:34 AM

Hey all

The PAN-OS traffic log include a log field ‚flags‘

‚Flags‘ is a 32-Bit field that provide details on session. This field can be decoded with a bitwise AND operation.

E.g. you have to bitwise AND operate the value 0x01000000 to the logged value to know the a SSL session was decrypted.

 

I guess that I have to convert the logged hexadecimal value to decimal. That is no problem.

But the bitwise operation require to convert the value to a binary value and here I‘m stuck.

I don‘t manage to convert the value in binary for each event of the traffic logs.

That‘s why I not get to the point where to bitwiseand the logged value with a value provided by a list from Palo Alto Networks.

 

Does anyone have an idea how to make a bitwise AND operation for a high number of events in Splunk?

 

Labels (2)
Labels
0 Karma
Reply

Berma
New Member
‎06-15-2023 08:34 AM

This solution is working like a charm and an effective way to convert hex to bin. 

unfortunately I am now with the second part of the task, the bitwise AND

 

i tried 

eval = bwa ( bin1 * bin2)

e.g.
bin1 = 0000000000000000000000011011

bin2 = 0001000000000000000000000000

 

the expected result should be

0000000000000000000000000000

but the result from the eval function is

1101100000000000000000000000

maybe the detour via binary numbers is wrong approach or the operation not correct. 

do you have an idea?

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-15-2023 09:43 AM

If you just want the value of the 4th bit, use substr()

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-15-2023 01:51 AM 
| eval binary=replace(hex,"0","z")
| eval binary=replace(binary,"1","o")
| eval binary=replace(binary,"f","1111")
| eval binary=replace(binary,"e","1110")
...
| eval binary=replace(binary,"o","0001")
| eval binary=replace(binary,"z","0000")
0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...