Splunk Search

How to replace letters with numbers in a string

Explorer

I'm trying to convert a long hexadecimal number (md5) to decimal.
Unfortunately md5number = tonumber(md5string,16) does not seem to work, perhaps due to the number's length.
So I thought I would replace respective letters in the md5 string with numbers. "a" to 10, "b" to 11 ... "f" to 16. The correctness of the final number does not play a role as I only need it to compare two neighboring events using "delta" function, so I need decimal numbers for that purpose.
Unfortunately I am unable to do it using replace or rex in sed mode.
Example md5 hash: 6c17f73c47a12dcf494cd95e3e8bd490
Any help will be appreciated.

0 Karma
1 Solution

Super Champion

A crude way, but should work
(splitting first 8 characters and converting to number and then next 8 chars and converting and then concatenating both)

| stats count as echo | eval decimal = tostring(tonumber(substr("D431F2404CA13E22594E5C8B04D3BBB8",1,8),16)) + tostring(tonumber(substr("D431F2404CA13E22594E5C8B04D3BBB8",9,8),16))| fields decimal

View solution in original post

Super Champion

A crude way, but should work
(splitting first 8 characters and converting to number and then next 8 chars and converting and then concatenating both)

| stats count as echo | eval decimal = tostring(tonumber(substr("D431F2404CA13E22594E5C8B04D3BBB8",1,8),16)) + tostring(tonumber(substr("D431F2404CA13E22594E5C8B04D3BBB8",9,8),16))| fields decimal

View solution in original post

Explorer

Thanks!
I actually managed to achieve my goal by writing a rather lenghty nested replace function:
tonumber(replace(replace(replace(replace(replace(replace(logmsghash,"a","10"),"b","11"),"c","12"),"d","13"),"e","14"),"f","15"))
It doesn't calculate the number properly but it does create SOME decimal number which primarly was my goal.

0 Karma

Try creating a custom command and implement your own logic in python to achieve your requirement
http://docs.splunk.com/Documentation/Splunk/6.0.8/AdvancedDev/SearchScripts

0 Karma

Explorer

I don't think I would be able to do it since I'm using Web Splunk and have no access to commands.conf. I'm pretty sure one can do it with rex sed, but my level of expertise is not sufficient and I couldn't find any examples that would suit my need.

0 Karma