Splunk Search

How to convert IP to decimal

KwonTaeHoon
Path Finder

Hello

My lookup table has fields of src_ip, dst_ip, and description.

src_ip=192.168.1.1

dst_ip=192.168.1.100

description="internal IP"

I want to convert the src_ip field and dst_ip to decimal.

If you know how to convert it, please add a reply.

 

Thank you

Labels (2)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

Let me give this a semantic makeover using bit_shift_left😃 (9.2 and above - thanks @jason_hotchkiss for noticing) because semantic code is easier to understand and maintain.

 

| eval offset = mvappend("24", "16", "8")
| eval segment_rev = mvrange(0, 3)
| foreach *_ip
    [eval <<FIELD>> = split(<<FIELD>>, "."),
    <<FIELD>>_dec = sum(mvmap(segment_rev, bit_shift_left(tonumber(mvindex(<<FIELD>>, segment_rev)), tonumber(mvindex(offset, segment_rev)))), tonumber(mvindex(<<FIELD>>, 3))),
    <<FIELD>> = mvjoin(<<FIELD>>, ".") ``` this last part for display only ```]
| fields - offset segment_rev

 

The sample data gives

dst_ipdst_ip_decsrc_ipsrc_ip_dec
192.168.1.1003232235876192.168.1.13232235777

Here is an emulation you can play with and compare with real data

 

 

| makeresults format=csv data="src_ip, dst_ip
192.168.1.1, 192.168.1.100"
``` data emulation above ```

 

 

Note: If it helps readability., you can skip foreach and spell the two operations separately.

 

| eval offset = mvappend("24", "16", "8")
| eval segment_rev = mvrange(0, 3)
| eval src_ip = split(src_ip, ".")
| eval dst_ip = split(dst_ip, ".")
| eval src_ip_dec = sum(mvmap(segment_rev, bit_shift_left(tonumber(mvindex(src_ip, segment_rev)), tonumber(mvindex(offset, segment_rev)))), tonumber(mvindex(src_ip, 3)))
| eval dst_ip_dec = sum(mvmap(segment_rev, bit_shift_left(tonumber(mvindex(dst_ip, segment_rev)), tonumber(mvindex(offset, segment_rev)))), tonumber(mvindex(dst_ip, 3)))
| eval src_ip = mvjoin(src_ip, "."), dst_ip = mvjoin(dst_ip, ".") ``` for display only ```
| fields - offset segment_rev

 

 

 

 

jason_hotchkiss
Communicator

 

 

 

| eval offset = mvappend("24", "16", "8")
| eval segment_rev = mvrange(0, 3)
| eval offset = mvappend("24", "16", "8")
| eval segment_rev = mvrange(0, 3)

 

 

 

 
For the above, should the second set have been given a different value for the field? 

Additionally, when I run the example, I received:

04-18-2024 13:36:06.590 ERROR EvalCommand [102993 searchOrchestrator] - The 'bit_shift_left' function is unsupported or undefined.

I believe the function requires 9.2.0+

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

04-18-2024 13:36:06.590 ERROR EvalCommand [102993 searchOrchestrator] - The 'bit_shift_left' function is unsupported or undefined.

I believe the function requires 9.2.0+

Thanks for noticing!  I always assumed that bitwise operations had been part of SPL from day one but no.  The document has this footer: "This documentation applies to the following versions of Splunk® Enterprise: 9.2.0, 9.2.1." (Searching in previous versions results in the same pointers to 9.2.)


For the above, should the second set have been given a different value for the field?

Those are really bad copy-and-paste errors.  Corrected.

0 Karma

jason_hotchkiss
Communicator

Take a look at this solution:  

https://community.splunk.com/t5/Splunk-Search/Convert-Hexadecimal-IP-v4-addresses-to-decimal/td-p/40...

You could use:  (?<d1>\d{1,3})\.(?<d2>\d{1,3})\.(?<d3>\d{1,3})\.(?<d4>\d{1,3}) for your particular example as the rex conversion.

| makeresults count=1
| eval src_ip = "192.168.1.1"
| streamstats values(src_ip) as src_ip by _time
| rex field=src_ip "(?<d1>\d{1,3})\.(?<d2>\d{1,3})\.(?<d3>\d{1,3})\.(?<d4>\d{1,3})"
| eval dec_src_ip = 'd1'*16777216+'d2'*65536+'d3'*256+'d4'+0



There is also an app that provides you a command to do the conversion:  
https://splunkbase.splunk.com/app/512

 

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...