Hi splunknewby,
there is no build in function to do that, but you can use some tricks to get there. Try this:
your base search here
| rex "(?i)(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})"
| eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16)) |...
The regex must be most likely adopted to your real life events, but it should give you an idea how to do it.
cheers, MuS
Hi splunknewby,
there is no build in function to do that, but you can use some tricks to get there. Try this:
your base search here
| rex "(?i)(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})"
| eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16)) |...
The regex must be most likely adopted to your real life events, but it should give you an idea how to do it.
cheers, MuS
Thanks Mus, that did the trick. How do I make it so that any further searches I do has the IP addresses in this form rather than the HEX?
Where do I configure this?
you could use field extraction http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/ExtractfieldsinteractivelywithIFX to get d1
,d2
,d3
,d4
as fields and a lookup table to translate the d fields into numbers .... this is the most you could probably do or change the source output to be decimal 😉
Cheers, thanks again 🙂
I tried using
rex "(?i)0x(?
| eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16)) | geoip ip
from the answer given here:
http://answers.splunk.com/answers/27475/convert-hexadecimal-ip-v4-addresses-to-decimal.html
but splunk is showing the following "Unknown search command 'geoip'."