Solved: Re: How to convert a decimal into binary?

the_wolverine · ‎03-17-2017

There doesn't seem to be command that will magically convert my decimal into binary. Any tips on how this can be done?

the_wolverine · ‎03-17-2017

Here's one example, assuming your decimal field is named "RAW_VALUE"

search RAW_VALUE=* 
| stats latest(RAW_VALUE) as RAW_VALUE by host 
| eval power=mvrange(0,20) | mvexpand power | eval base2=pow(2, power) 
| where RAW_VALUE>=base2 
| eval mydiv=floor(RAW_VALUE/base2) 
| eval mybin=mydiv % 2 
| sort - power 
| stats list(mybin) as binary by host,RAW_VALUE

This is built off of hints from the comment by javiergn in the following post: https://answers.splunk.com/answers/342277/is-it-possible-to-perform-bitwise-operations-on-va.html

View solution in original post

Fumbles · ‎07-14-2023

Posting an update based on @the_wolverine 's solution provided a few years ago:

One weakness of the previous solution is that | mvexpand will generate 20 events for each event it runs against making it difficult to scale. With the addition of | foreach mode=multivalue to Splunk a multivalue list can now be iterated through without generating additional events, improving performance.

| makeresults 
| eval value=72
| eval power=mvrange(0,20) 
| foreach mode=multivalue power [eval item=pow(2,'<<ITEM>>'), base2=mvappend(base2,'item')]
| foreach mode=multivalue base2 [eval value_div=case(value>='<<ITEM>>',floor(value/'<<ITEM>>')%2), bin=mvappend(bin,'value_div')]
| foreach mode=multivalue bin [eval bin_count=mvcount(bin)-1, binary=mvappend(binary,mvindex(bin,-1)), bin=if(mvcount('bin')>=bin_count, mvappend(mvindex(bin,0,bin_count-1),''), bin)]
| nomv binary
| rex mode=sed field=binary "s/\n//g"
| table value power base2 binary

sgamble · ‎05-17-2022

Here is a simple, single eval that does it. Extend or reduce as required.

| makeresults count=32
| streamstats count as decimal
| eval decimal=decimal-1
| fields - _time

| eval binary=
floor(decimal/256%2).
floor(decimal/128%2).
floor(decimal/64%2).
floor(decimal/32%2).
floor(decimal/16%2).
floor(decimal/8%2).
floor(decimal/4%2).
floor(decimal/2%2).
floor(decimal/1%2)

ziegfried · ‎03-22-2017

... | eval binary=replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(tostring(mynumber, "hex"), 3), "0", "0000"), "1", "0001"), "2", "0010"), "3", "0011"), "4", "0100"), "5", "0101"), "6", "0110"), "7", "0111"), "8", "1000"), "9", "1001"), "A", "1010"), "B", "1011"), "C", "1100"), "D", "1101"), "E", "1110"), "F", "1111")

DalJeanis · ‎03-22-2017

Upvote for much less crazy than the alternatives.

DalJeanis · ‎10-11-2018

Slightly more readable for the same function...

| makeresults | eval RAW_VALUE=mvappend("2531","11","5") | mvexpand RAW_VALUE  
| rename COMMENT as "The above just makes test data"

| eval binary=tostring(RAW_VALUE,"hex")
| rex mode=sed field=binary "s/0/0000/g s/1/0001/g s/2/0010/g s/3/0011/g s/4/0100/g s/5/0101/g s/6/0110/g s/7/0111/g s/8/1000/g s/9/1001/g s/a|A/1010/g s/b|B/1011/g s/c|C/1100/g s/d|D/1101/g s/e|E/1110/g s/f|F/1111/g s/x// s/^0//g"

the_wolverine · ‎03-17-2017

Here's one example, assuming your decimal field is named "RAW_VALUE"

search RAW_VALUE=* 
| stats latest(RAW_VALUE) as RAW_VALUE by host 
| eval power=mvrange(0,20) | mvexpand power | eval base2=pow(2, power) 
| where RAW_VALUE>=base2 
| eval mydiv=floor(RAW_VALUE/base2) 
| eval mybin=mydiv % 2 
| sort - power 
| stats list(mybin) as binary by host,RAW_VALUE

This is built off of hints from the comment by javiergn in the following post: https://answers.splunk.com/answers/342277/is-it-possible-to-perform-bitwise-operations-on-va.html

How to convert a decimal into binary?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms