Splunk Search

How to convert an IP address via props.conf and transforms.conf from HEX to decimal format?

splunknewby
Path Finder

I have set up a forwarder on my machine to send netflow data from a directory into splunk. The setup is as follows:

Directory: /home/user/Documents/netflowstuff
file1.json
file2.json

each json file as multiple entries/lines in the following form:

{"source":"XYZ", "srcaddr":"C0A80101".........................................etc}

When searching, I use:

index=main | rex field=srcaddr "(?i)(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})" | eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16))

to convert the IP address from hex to decimal.

What I want to do however: is have splunk ingest the IP address in decimal from the start without having to run this search. How do I go about configuring props.conf and transforms.conf to accomplish this?

0 Karma

MuS
SplunkTrust
SplunkTrust

btw, why do you asked this again http://answers.splunk.com/answers/241068/how-to-convert-indexed-ip-data-from-hex-to-decimal.html ? Splunk features did not change since the last question 🙂

0 Karma

woodcock
Esteemed Legend

I do not know of any way to do this at index-time but it can be done automatically at search time by abusing a calculated field after switching to an eval-only solution (not using rex) like this in props.conf:

[MySourceType]
EVAL-JuNkT3Mp0 = floor(srcaddr/16777216) | eval JuNkT3Mpx=srcaddr%16777216 | eval JuNkT3Mp1=floor(JuNkT3Mpx/65536) | eval JuNkT3Mpx=JuNkT3Mpx%65536 | eval JuNkT3Mp2=floor(JuNkT3Mpx/256) | eval JuNkT3Mp3=JuNkT3Mpx%256 | strcat JuNkT3Mp0 "." JuNkT3Mp1 "." JuNkT3Mp2 "." JuNkT3Mp3 ip | fields - JuNkT3Mp*

Note: this is untested but should work.

0 Karma

dflodstrom
Builder

You will only be able to use regex/SEDCMD during index time so it looks like evaluating this field at search time is your best option. The command 'tonumber' should do the trick.

http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/CommonEvalFunctions

This function converts the input string NUMSTR to a number, where BASE is optional and used to define the base of the number to convert to. BASE can be 2..36, and defaults to 10. If tonumber cannot parse a field value to a number, the function returns NULL. If tonumber cannot parse a literal string to a number, it throws an error.

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

I'm not sure how'd I'd use props and transforms to do this. Although not directly answering your question, you could automate this process more by adding permanent field extractions for the rex, and a calculated field for the the eval.

http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/Createandmaintainsearch-timefieldextract...

http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/definecalcfields

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

I'm not sure how'd I'd use props and transforms to do this. Although not directly answering your question, you could automate this process more by adding permanent field extractions for the rex, and a calculated field for the the eval.

http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/Createandmaintainsearch-timefieldextract...

http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/definecalcfields

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...