Hello Guys,
I'm working on Data which is exported by telecom devices and IPs is exported in Decimal format as 170468155
can you help to convert this to normal dotted quad IP format xxx.xxx.xxx.xxx ?
I tested this app, it works. It's in splunkbase
IP Format Conversion Scripted Lookup
Have a look at this answer:
https://answers.splunk.com/answers/108752/converting-an-encoded-ip-address-to-dotted-decimal.html
I saw that answer before asking my question.. it's a different case
Hi @Muwafi,
If your decimal value is present in IP
field then try this:
| eval ip=if(IP<1,IP+2147483648,IP) | eval aaa=floor(ip/16777216) | eval bbb=floor((ip-aaa*16777216)/65536) | eval ccc=floor((ip-(aaa*16777216+bbb*65536))/256)| eval ddd=ip-(aaa*16777216+bbb*65536+ccc*256) | eval ipv4=tostring(aaa)+"."+tostring(bbb)+"."+tostring(ccc)+"."+tostring(ddd)
Try this run anywhere search:
|makeresults|eval IP="170468155"| eval ip=if(IP<1,IP+2147483648,IP) | eval aaa=floor(ip/16777216) | eval bbb=floor((ip-aaa*16777216)/65536) | eval ccc=floor((ip-(aaa*16777216+bbb*65536))/256)| eval ddd=ip-(aaa*16777216+bbb*65536+ccc*256) | eval ipv4=tostring(aaa)+"."+tostring(bbb)+"."+tostring(ccc)+"."+tostring(ddd)
so for decimal val of IP="170468155"
it will output as "10.41.35.59"
Hi,
Have you tried this?
| eval ips=tostring(ip)| eval newip=substr(ips,1,3)+"."+substr(ips,4,6)+"."+substr(ips,7,9)
Assuming your 170468155 is a field value for a field named ip
That didn't work!
didnt work? care to explain? can you post your event log containing your ip field?
What you are asking is very simple. I suspect we are not understanding your question completely
it's giving a wrong result
if you used this website https://www.ipaddressguide.com/ip to convert between decimal IP and dotted quad IP the result of converting 170468155 is 10.41.35.59 while your eval result is 170.468155.155
The issue is not adding the "." , it needs calculations!
hang on a second...this is not strictly a splunk question, what you need is the logic to convert the decimal to ip (in general mathematical terms) and then implement the same in splunk.
Do you have the maths / formula behind the conversion?
We can then try to implement the same in splunk
I don't have the formula 😞