Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to convert IP to decimal

KwonTaeHoon
Path Finder
‎04-17-2024 06:30 AM

Hello

My lookup table has fields of src_ip, dst_ip, and description.

src_ip=192.168.1.1

dst_ip=192.168.1.100

description="internal IP"

I want to convert the src_ip field and dst_ip to decimal.

If you know how to convert it, please add a reply.

 

Thank you

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎04-17-2024 04:35 PM

Let me give this a semantic makeover using bit_shift_left😃 (9.2 and above - thanks @jason_hotchkiss for noticing) because semantic code is easier to understand and maintain.

 

| eval offset = mvappend("24", "16", "8")
| eval segment_rev = mvrange(0, 3)
| foreach *_ip
    [eval <<FIELD>> = split(<<FIELD>>, "."),
    <<FIELD>>_dec = sum(mvmap(segment_rev, bit_shift_left(tonumber(mvindex(<<FIELD>>, segment_rev)), tonumber(mvindex(offset, segment_rev)))), tonumber(mvindex(<<FIELD>>, 3))),
    <<FIELD>> = mvjoin(<<FIELD>>, ".") ``` this last part for display only ```]
| fields - offset segment_rev

 

The sample data gives

dst_ipdst_ip_decsrc_ipsrc_ip_dec
192.168.1.1003232235876192.168.1.13232235777

Here is an emulation you can play with and compare with real data

 

 

| makeresults format=csv data="src_ip, dst_ip
192.168.1.1, 192.168.1.100"
``` data emulation above ```

 

 

Note: If it helps readability., you can skip foreach and spell the two operations separately.

 

| eval offset = mvappend("24", "16", "8")
| eval segment_rev = mvrange(0, 3)
| eval src_ip = split(src_ip, ".")
| eval dst_ip = split(dst_ip, ".")
| eval src_ip_dec = sum(mvmap(segment_rev, bit_shift_left(tonumber(mvindex(src_ip, segment_rev)), tonumber(mvindex(offset, segment_rev)))), tonumber(mvindex(src_ip, 3)))
| eval dst_ip_dec = sum(mvmap(segment_rev, bit_shift_left(tonumber(mvindex(dst_ip, segment_rev)), tonumber(mvindex(offset, segment_rev)))), tonumber(mvindex(dst_ip, 3)))
| eval src_ip = mvjoin(src_ip, "."), dst_ip = mvjoin(dst_ip, ".") ``` for display only ```
| fields - offset segment_rev

 

 

 

 

Reply

jason_hotchkiss
Communicator
‎04-18-2024 06:33 AM

 

 

 

| eval offset = mvappend("24", "16", "8")
| eval segment_rev = mvrange(0, 3)
| eval offset = mvappend("24", "16", "8")
| eval segment_rev = mvrange(0, 3)

 

 

 

 
For the above, should the second set have been given a different value for the field? 

Additionally, when I run the example, I received:

04-18-2024 13:36:06.590 ERROR EvalCommand [102993 searchOrchestrator] - The 'bit_shift_left' function is unsupported or undefined.

I believe the function requires 9.2.0+

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎04-18-2024 09:45 AM
04-18-2024 13:36:06.590 ERROR EvalCommand [102993 searchOrchestrator] - The 'bit_shift_left' function is unsupported or undefined.

I believe the function requires 9.2.0+

Thanks for noticing!  I always assumed that bitwise operations had been part of SPL from day one but no.  The document has this footer: "This documentation applies to the following versions of Splunk® Enterprise: 9.2.0, 9.2.1." (Searching in previous versions results in the same pointers to 9.2.)

For the above, should the second set have been given a different value for the field?

Those are really bad copy-and-paste errors.  Corrected.

0 Karma
Reply

jason_hotchkiss
Communicator
‎04-17-2024 07:10 AM

Take a look at this solution:  

https://community.splunk.com/t5/Splunk-Search/Convert-Hexadecimal-IP-v4-addresses-to-decimal/td-p/40...

You could use:  (?<d1>\d{1,3})\.(?<d2>\d{1,3})\.(?<d3>\d{1,3})\.(?<d4>\d{1,3}) for your particular example as the rex conversion.

| makeresults count=1
| eval src_ip = "192.168.1.1"
| streamstats values(src_ip) as src_ip by _time
| rex field=src_ip "(?<d1>\d{1,3})\.(?<d2>\d{1,3})\.(?<d3>\d{1,3})\.(?<d4>\d{1,3})"
| eval dec_src_ip = 'd1'*16777216+'d2'*65536+'d3'*256+'d4'+0



There is also an app that provides you a command to do the conversion:  
https://splunkbase.splunk.com/app/512

 

0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games Tutorial Extension - part 9

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games Tutorial Extension - part 8

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Introducing the Splunk Developer Program!

Hey Splunk community! We are excited to announce that Splunk is launching the Splunk Developer Program in ...
li.common.scroll-to.top