- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to convert an IP address in hex format to ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to convert an IP address in hex format to a normal IP address?
How do I convert an IP address in hex format "00000000000000000000FFFF0A15856E" into a normal dotted IP address
I tried like this, but it is not giving correct address:
| eval x="00000000000000000000FFFF0A15856E" | eval IP_ADDR1=tonumber(x,16) | table IP_ADDR1 | eval firstoctet = floor(IP_ADDR1/pow(256,3)) |
eval IP_ADDR1 = IP_ADDR1-(firstoctet*pow(256,3)) |
eval secondoctet = floor(IP_ADDR1/pow(256,2)) |
eval IP_ADDR1 = IP_ADDR1-secondoctet*pow(256,2) |
eval thirdoctet = floor(IP_ADDR1/pow(256,1)) |
eval IP_ADDR1 = IP_ADDR1-thirdoctet*pow(256,1) |
eval SRC_IP = firstoctet+"."+secondoctet+"."+thirdoctet+"."+IP_ADDR1 | table SRC_IP
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seems like there are junk characters added. Give something like this a try, considering only last 8 characters to ip conversion
| gentimes start=-1 | eval Reason="00000000000000000000FFFF0A15856E" | table Reason| rex field=Reason "(?<d1>\S{2})(?<d2>\S{2})(?<d3>[0-9A-F]{2})(?<d4>\S{2})$" | eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As you asked a question to convert decimal ipaddress to normal ipaddress, you can use the following query and check it:
index=* or your base search here | rex "(?i)(?[0-9A-F]{2})(?[0-9A-F]{2})(?[0-9A-F]{2})(?[0-9A-F]{2})" | eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From database i am fetching ipaddress which is in binary format. so i have used HEX(ipaddr,16) to convert binary to HEX in database query. Then In splunk i am trying to convert this ipaddress to decimal.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That does not look like an IPv4 address - There should be only 8 hex digits in an IP address
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From database i am fetching ipaddress which is in binary format. so i have used HEX(ipaddr,16) to convert binary to HEX in database query. Then In splunk i am trying to convert this ipaddress to decimal.
Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!
Logs to Metrics
Developer Spotlight with Paul Stout
