Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to convert IPv6 to IPv4 dotted decimal format with eval?

roayers
Explorer
‎02-24-2018 11:04 AM

I've found many samples of how to convert an IPv4 to many different formats but I can't seem to locate one to convert an IPv6 address to IPv4 - Dotted decimal format.

Can anyone help?

Thanks,
Robert

Labels (1)
Labels
0 Karma
Reply

gordo32
Communicator
‎09-06-2022 01:40 PM

Had to do this today because VPN logs for eStreamer returns the IPv4 client_ip field in hex encoded IPv6 format (e.g. 104.33.245.146 is listed as 0000:0000:0000:0000:0000:ffff:6821:f592)

index=estreamer
| eval A=if(like(client_ip,"0000:0000:0000:0000:0000:ffff:%"), substr(ipv6,31,9) , client_ip)
| eval src_ip=if(len(A)==9, tonumber(substr(A,1,2),16). "." .tonumber(substr(A,3,2),16). "." .tonumber(substr(A,6,2),16). "." .tonumber(substr(A,8,2),16), A)

Not sure what the use case OP originally was looking for, but hope this helps someone.

  • First eval compares set temp variable A to the hex-encoded IPv4 if matches the format, otherwise stores the IPv6
  • Second eval parses & converts each IPv4 octet if A is 9 characters long, othewise returns the IPv6

Hope this helps someone else.

 

 

0 Karma
Reply

benjimons
New Member
‎02-27-2020 07:29 PM

There is an RFC related to this. https://tools.ietf.org/html/rfc6144 which speaks of

IPv4-translatable addresses: IPv6 addresses to be assigned to IPv6
nodes for use with stateless translation. They have an explicit
mapping relationship to IPv4 addresses. A stateless translator
uses the corresponding IPv4 addresses to represent the IPv6
addresses. A stateful translator does not use this kind of
addresses, since IPv6 hosts are represented by the IPv4 address
pool in the translator via dynamic state.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-24-2018 03:23 PM

Splunk has built-in functions to convert hexadecimal to decimal: http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/ConversionFunctions#tonumber.28NUM...
Using that, you can build whatever representation you like for IP addresses.

I can't help you with how to write the eval until you let me know how you'd like the lossy conversion from IPv6 to IPv4 to look like - keep in mind, IPv6 addresses are 128bit while IPv4 ones are only 32bit.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...