Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to convert IP to decimal

KwonTaeHoon
Path Finder
‎04-17-2024 06:30 AM

Hello

My lookup table has fields of src_ip, dst_ip, and description.

src_ip=192.168.1.1

dst_ip=192.168.1.100

description="internal IP"

I want to convert the src_ip field and dst_ip to decimal.

If you know how to convert it, please add a reply.

 

Thank you

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎04-17-2024 04:35 PM

Let me give this a semantic makeover using bit_shift_left😃 (9.2 and above - thanks @jason_hotchkiss for noticing) because semantic code is easier to understand and maintain.

 

| eval offset = mvappend("24", "16", "8")
| eval segment_rev = mvrange(0, 3)
| foreach *_ip
    [eval <<FIELD>> = split(<<FIELD>>, "."),
    <<FIELD>>_dec = sum(mvmap(segment_rev, bit_shift_left(tonumber(mvindex(<<FIELD>>, segment_rev)), tonumber(mvindex(offset, segment_rev)))), tonumber(mvindex(<<FIELD>>, 3))),
    <<FIELD>> = mvjoin(<<FIELD>>, ".") ``` this last part for display only ```]
| fields - offset segment_rev

 

The sample data gives

dst_ipdst_ip_decsrc_ipsrc_ip_dec
192.168.1.1003232235876192.168.1.13232235777

Here is an emulation you can play with and compare with real data

 

 

| makeresults format=csv data="src_ip, dst_ip
192.168.1.1, 192.168.1.100"
``` data emulation above ```

 

 

Note: If it helps readability., you can skip foreach and spell the two operations separately.

 

| eval offset = mvappend("24", "16", "8")
| eval segment_rev = mvrange(0, 3)
| eval src_ip = split(src_ip, ".")
| eval dst_ip = split(dst_ip, ".")
| eval src_ip_dec = sum(mvmap(segment_rev, bit_shift_left(tonumber(mvindex(src_ip, segment_rev)), tonumber(mvindex(offset, segment_rev)))), tonumber(mvindex(src_ip, 3)))
| eval dst_ip_dec = sum(mvmap(segment_rev, bit_shift_left(tonumber(mvindex(dst_ip, segment_rev)), tonumber(mvindex(offset, segment_rev)))), tonumber(mvindex(dst_ip, 3)))
| eval src_ip = mvjoin(src_ip, "."), dst_ip = mvjoin(dst_ip, ".") ``` for display only ```
| fields - offset segment_rev

 

 

 

 

Reply

jason_hotchkiss
Communicator
‎04-18-2024 06:33 AM

 

 

 

| eval offset = mvappend("24", "16", "8")
| eval segment_rev = mvrange(0, 3)
| eval offset = mvappend("24", "16", "8")
| eval segment_rev = mvrange(0, 3)

 

 

 

 
For the above, should the second set have been given a different value for the field? 

Additionally, when I run the example, I received:

04-18-2024 13:36:06.590 ERROR EvalCommand [102993 searchOrchestrator] - The 'bit_shift_left' function is unsupported or undefined.

I believe the function requires 9.2.0+

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎04-18-2024 09:45 AM
04-18-2024 13:36:06.590 ERROR EvalCommand [102993 searchOrchestrator] - The 'bit_shift_left' function is unsupported or undefined.

I believe the function requires 9.2.0+

Thanks for noticing!  I always assumed that bitwise operations had been part of SPL from day one but no.  The document has this footer: "This documentation applies to the following versions of Splunk® Enterprise: 9.2.0, 9.2.1." (Searching in previous versions results in the same pointers to 9.2.)

For the above, should the second set have been given a different value for the field?

Those are really bad copy-and-paste errors.  Corrected.

0 Karma
Reply

jason_hotchkiss
Communicator
‎04-17-2024 07:10 AM

Take a look at this solution:  

https://community.splunk.com/t5/Splunk-Search/Convert-Hexadecimal-IP-v4-addresses-to-decimal/td-p/40...

You could use:  (?<d1>\d{1,3})\.(?<d2>\d{1,3})\.(?<d3>\d{1,3})\.(?<d4>\d{1,3}) for your particular example as the rex conversion.

| makeresults count=1
| eval src_ip = "192.168.1.1"
| streamstats values(src_ip) as src_ip by _time
| rex field=src_ip "(?<d1>\d{1,3})\.(?<d2>\d{1,3})\.(?<d3>\d{1,3})\.(?<d4>\d{1,3})"
| eval dec_src_ip = 'd1'*16777216+'d2'*65536+'d3'*256+'d4'+0



There is also an app that provides you a command to do the conversion:  
https://splunkbase.splunk.com/app/512

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...