Splunk Search

Is there a way to check a particular bit in a field that returns a hex value?

CYamaguchi
Engager

I have a field that returns a hex value. The value returned can be anything from 0 to FF.

We'll call this field CRAYON. If bit position 0 is a 1 (or turned on), the crayon is BLUE. If bit position 1 is on, crayon is GREEN. If bit position 2 is on, crayon is PURPLE. This goes on for each of the 8 bits with each bit representing a different color of crayon.

The program that sets CRAYON only changes a single bit at a time. When CRAYON is set to BLUE, only the bit for that position is changed. The other 7 bits can be any combination of on/off. Which is why something simple like CRAYON = 1 would not identify all blue crayons. I would only find that color when all other bits were turned off, which does not happen often. Usually, 3 or 4 bits are turned on at a time.

I need to check for each color individually based on its bit position. How can I determine the color of CRAYON when I'm given a hex value between 0 and FF? Any help is much appreciated!

1 Solution

martin_mueller
SplunkTrust
SplunkTrust

With a bit of limboing around the lack of bitwise operations, sure.

| stats count as number | eval number = mvrange(0,256) | mvexpand number | eval n = mvrange(0,8) | mvexpand n
| eval hex = tostring(number, "hex") | eval dec = tonumber(hex, 16)
| eval nth_bit = floor(number / pow(2, n)) % 2

The first line sets up a 100% test coverage data set: 256 numbers and one row for each bit to test.
The second line shows how you can convert between hexadecimal and decimal.
The last line does the actual testing, nth_bit will be 1 iff the nth bit of number is set.

From a bitwise perspective, this is basically (number >> n) & 1

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

With a bit of limboing around the lack of bitwise operations, sure.

| stats count as number | eval number = mvrange(0,256) | mvexpand number | eval n = mvrange(0,8) | mvexpand n
| eval hex = tostring(number, "hex") | eval dec = tonumber(hex, 16)
| eval nth_bit = floor(number / pow(2, n)) % 2

The first line sets up a 100% test coverage data set: 256 numbers and one row for each bit to test.
The second line shows how you can convert between hexadecimal and decimal.
The last line does the actual testing, nth_bit will be 1 iff the nth bit of number is set.

From a bitwise perspective, this is basically (number >> n) & 1

Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...