Splunk Search

How to convert a decimal into binary?

the_wolverine
Champion

There doesn't seem to be command that will magically convert my decimal into binary. Any tips on how this can be done?

0 Karma
1 Solution

the_wolverine
Champion

Here's one example, assuming your decimal field is named "RAW_VALUE"

search RAW_VALUE=* 
| stats latest(RAW_VALUE) as RAW_VALUE by host 
| eval power=mvrange(0,20) | mvexpand power | eval base2=pow(2, power) 
| where RAW_VALUE>=base2 
| eval mydiv=floor(RAW_VALUE/base2) 
| eval mybin=mydiv % 2 
| sort - power 
| stats list(mybin) as binary by host,RAW_VALUE

This is built off of hints from the comment by javiergn in the following post: https://answers.splunk.com/answers/342277/is-it-possible-to-perform-bitwise-operations-on-va.html

View solution in original post

Fumbles
Explorer

Posting an update based on @the_wolverine 's solution provided a few years ago:

One weakness of the previous solution is that | mvexpand will generate 20 events for each event it runs against making it difficult to scale. With the addition of | foreach mode=multivalue to Splunk a multivalue list can now be iterated through without generating additional events, improving performance. 

| makeresults 
| eval value=72
| eval power=mvrange(0,20) 
| foreach mode=multivalue power [eval item=pow(2,'<<ITEM>>'), base2=mvappend(base2,'item')]
| foreach mode=multivalue base2 [eval value_div=case(value>='<<ITEM>>',floor(value/'<<ITEM>>')%2), bin=mvappend(bin,'value_div')]
| foreach mode=multivalue bin [eval bin_count=mvcount(bin)-1, binary=mvappend(binary,mvindex(bin,-1)), bin=if(mvcount('bin')>=bin_count, mvappend(mvindex(bin,0,bin_count-1),''), bin)]
| nomv binary
| rex mode=sed field=binary "s/\n//g"
| table value power base2 binary

 

0 Karma

sgamble
Splunk Employee
Splunk Employee

Here is a simple, single eval that does it. Extend or reduce as required.

| makeresults count=32
| streamstats count as decimal
| eval decimal=decimal-1
| fields - _time

| eval binary=
floor(decimal/256%2).
floor(decimal/128%2).
floor(decimal/64%2).
floor(decimal/32%2).
floor(decimal/16%2).
floor(decimal/8%2).
floor(decimal/4%2).
floor(decimal/2%2).
floor(decimal/1%2)

ziegfried
Influencer
... | eval binary=replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(tostring(mynumber, "hex"), 3), "0", "0000"), "1", "0001"), "2", "0010"), "3", "0011"), "4", "0100"), "5", "0101"), "6", "0110"), "7", "0111"), "8", "1000"), "9", "1001"), "A", "1010"), "B", "1011"), "C", "1100"), "D", "1101"), "E", "1110"), "F", "1111")

DalJeanis
Legend

Upvote for much less crazy than the alternatives.

0 Karma

DalJeanis
Legend

Slightly more readable for the same function...

| makeresults | eval RAW_VALUE=mvappend("2531","11","5") | mvexpand RAW_VALUE  
| rename COMMENT as "The above just makes test data"

| eval binary=tostring(RAW_VALUE,"hex")
| rex mode=sed field=binary "s/0/0000/g s/1/0001/g s/2/0010/g s/3/0011/g s/4/0100/g s/5/0101/g s/6/0110/g s/7/0111/g s/8/1000/g s/9/1001/g s/a|A/1010/g s/b|B/1011/g s/c|C/1100/g s/d|D/1101/g s/e|E/1110/g s/f|F/1111/g s/x// s/^0//g" 
0 Karma

the_wolverine
Champion

Here's one example, assuming your decimal field is named "RAW_VALUE"

search RAW_VALUE=* 
| stats latest(RAW_VALUE) as RAW_VALUE by host 
| eval power=mvrange(0,20) | mvexpand power | eval base2=pow(2, power) 
| where RAW_VALUE>=base2 
| eval mydiv=floor(RAW_VALUE/base2) 
| eval mybin=mydiv % 2 
| sort - power 
| stats list(mybin) as binary by host,RAW_VALUE

This is built off of hints from the comment by javiergn in the following post: https://answers.splunk.com/answers/342277/is-it-possible-to-perform-bitwise-operations-on-va.html

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...