Solved: How to convert hexadecimal IP to decimal

vrmandadi · ‎09-11-2019

Hello all,
How can we convert this to regular IP?
I tried using the below search but it's not converting correctly.
Below is the sample event:

| rex "(?i)(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})"
 | eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16))

SYMNP-SMI::enterprises."9.9.42.1.3.2.1.8.13.3197256382.1.1" = "0x0aa0a04b"

poete · ‎09-11-2019

Hello @vrmandadi,

here is the solution.

| makeresults 
| eval _raw="SYMNP-SMI::enterprises.\"9.9.42.1.3.2.1.8.13.3197256382.1.1\" = \"0x0aa0a04b\""
| rex "0x(?i)(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})"
| eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16))

View solution in original post

poete · ‎09-11-2019

Hello @vrmandadi,

here is the solution.

| makeresults 
| eval _raw="SYMNP-SMI::enterprises.\"9.9.42.1.3.2.1.8.13.3197256382.1.1\" = \"0x0aa0a04b\""
| rex "0x(?i)(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})"
| eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16))

vrmandadi · ‎09-11-2019

Thank you very much @poete

How to convert hexadecimal IP to decimal

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...