Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to convert IPv6 to IPv4 dotted decimal format with eval?

roayers
Explorer
‎02-24-2018 11:04 AM

I've found many samples of how to convert an IPv4 to many different formats but I can't seem to locate one to convert an IPv6 address to IPv4 - Dotted decimal format.

Can anyone help?

Thanks,
Robert

Labels (1)
Labels
0 Karma
Reply

gordo32
Communicator
‎09-06-2022 01:40 PM

Had to do this today because VPN logs for eStreamer returns the IPv4 client_ip field in hex encoded IPv6 format (e.g. 104.33.245.146 is listed as 0000:0000:0000:0000:0000:ffff:6821:f592)

index=estreamer
| eval A=if(like(client_ip,"0000:0000:0000:0000:0000:ffff:%"), substr(ipv6,31,9) , client_ip)
| eval src_ip=if(len(A)==9, tonumber(substr(A,1,2),16). "." .tonumber(substr(A,3,2),16). "." .tonumber(substr(A,6,2),16). "." .tonumber(substr(A,8,2),16), A)

Not sure what the use case OP originally was looking for, but hope this helps someone.

  • First eval compares set temp variable A to the hex-encoded IPv4 if matches the format, otherwise stores the IPv6
  • Second eval parses & converts each IPv4 octet if A is 9 characters long, othewise returns the IPv6

Hope this helps someone else.

 

 

0 Karma
Reply

benjimons
New Member
‎02-27-2020 07:29 PM

There is an RFC related to this. https://tools.ietf.org/html/rfc6144 which speaks of

IPv4-translatable addresses: IPv6 addresses to be assigned to IPv6
nodes for use with stateless translation. They have an explicit
mapping relationship to IPv4 addresses. A stateless translator
uses the corresponding IPv4 addresses to represent the IPv6
addresses. A stateful translator does not use this kind of
addresses, since IPv6 hosts are represented by the IPv4 address
pool in the translator via dynamic state.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-24-2018 03:23 PM

Splunk has built-in functions to convert hexadecimal to decimal: http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/ConversionFunctions#tonumber.28NUM...
Using that, you can build whatever representation you like for IP addresses.

I can't help you with how to write the eval until you let me know how you'd like the lossy conversion from IPv6 to IPv4 to look like - keep in mind, IPv6 addresses are 128bit while IPv4 ones are only 32bit.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top