Splunk Search

## Is there a way to check a particular bit in a field that returns a hex value?

Engager

I have a field that returns a hex value. The value returned can be anything from 0 to FF.

We'll call this field CRAYON. If bit position 0 is a 1 (or turned on), the crayon is BLUE. If bit position 1 is on, crayon is GREEN. If bit position 2 is on, crayon is PURPLE. This goes on for each of the 8 bits with each bit representing a different color of crayon.

The program that sets CRAYON only changes a single bit at a time. When CRAYON is set to BLUE, only the bit for that position is changed. The other 7 bits can be any combination of on/off. Which is why something simple like CRAYON = 1 would not identify all blue crayons. I would only find that color when all other bits were turned off, which does not happen often. Usually, 3 or 4 bits are turned on at a time.

I need to check for each color individually based on its bit position. How can I determine the color of CRAYON when I'm given a hex value between 0 and FF? Any help is much appreciated!

Tags (5)
1 Solution
SplunkTrust

With a bit of limboing around the lack of bitwise operations, sure.

``````| stats count as number | eval number = mvrange(0,256) | mvexpand number | eval n = mvrange(0,8) | mvexpand n
| eval hex = tostring(number, "hex") | eval dec = tonumber(hex, 16)
| eval nth_bit = floor(number / pow(2, n)) % 2
``````

The first line sets up a 100% test coverage data set: 256 numbers and one row for each bit to test.
The second line shows how you can convert between hexadecimal and decimal.
The last line does the actual testing, `nth_bit` will be 1 iff the `n`th bit of `number` is set.

From a bitwise perspective, this is basically `(number >> n) & 1`

SplunkTrust

With a bit of limboing around the lack of bitwise operations, sure.

``````| stats count as number | eval number = mvrange(0,256) | mvexpand number | eval n = mvrange(0,8) | mvexpand n
| eval hex = tostring(number, "hex") | eval dec = tonumber(hex, 16)
| eval nth_bit = floor(number / pow(2, n)) % 2
``````

The first line sets up a 100% test coverage data set: 256 numbers and one row for each bit to test.
The second line shows how you can convert between hexadecimal and decimal.
The last line does the actual testing, `nth_bit` will be 1 iff the `n`th bit of `number` is set.

From a bitwise perspective, this is basically `(number >> n) & 1`

Get Updates on the Splunk Community!

#### Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

#### Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

#### Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...