Re: Typecasting String to Hex/Dec/Oct

juanfiguera · ‎04-06-2021

I'm looking for a way of typecasting ASCII characters (A,B,C,D,etc) into their decimal or hexadecimal formats.

I've tried

|makeresults
|eval fielda="a"
|eval char=printf("%d",fielda)
|table fielda char

This gives me an empty field for "char".

Then tried tonumber() and tostring() but both require strings which are numbers, not letters and so they come back with Null values.

Is there a way of typecasting ASCII to Hex/Dec/Oct?

gjanders · ‎09-11-2021

Decrypt2 should handle at least some of these scenarios... https://splunkbase.splunk.com/app/5565/

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

user_bee · ‎09-10-2021

Two more corrections:

70->71

63->62

eval ascii=case(char<26,char+65,char<52,char+71,char<62,char-4,isnull(char),"??")

Original (incorrect):

eval ascii=case(char<26,char+65,char<52,char+70,char<63,char-4,isnull(char),"??")

bowesmana · ‎04-06-2021

Not aware of a way other than writing python, but you can achieve limited results with a simple macro that encapsulates

NB: EDITED TO FIX UP typo identified by @user_bee

| makeresults
| eval fielda="A"
| eval char=mvfind(split("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",""), fielda)
| eval ascii=case(char<26,char+65,char<52,char+70,char<63,char-4,isnull(char),"??")
| eval hex=printf("%02x-%c", ascii, ascii)
| table fielda char ascii hex

but that only handles letters and numbers and only standard ASCII charset - would not work for non english and other code pages.

You could create a case sensitive lookup, but these are all sledgehammers to crack a simple nut 😞

user_bee · ‎05-12-2021

@bowesmana wrote:

char=mvfind(split("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvqwxyz0123456789",""), fielda)

Great workaround. Thanks a bunch. Just a couple of quick edits for anyone else wanting to use this. There's an extra q after the lower case v that needs to be removed.

Also. the 70 below should be 71.

@bowesmana wrote:

| eval ascii=case(char<26,char+65,char<53,char+70,char<63,char-5,isnull(char),"??")

ITWhisperer · ‎04-06-2021

|makeresults
|eval fielda="a"
|eval char=tonumber(fielda,16)
|table fielda char

juanfiguera · ‎04-06-2021

Thank you for the super quick response! This returns "10" which is the value of "a" in decimal. If you try converting anything that's beyond the hex range (0-9a-f) then you will get nothing in return.

PickleRick · ‎09-11-2021

That's why you can use larger base. In @ITWhisperer's example the base was 16 so no digit over "f" would be converted. But if you do tonumber("whatever",36), you'll be able to use whole a-z range.

In general - tonumber() is designed to convert a string representation of a number to a number. You just need to give it a proper base.

ITWhisperer · ‎04-06-2021

If you want to convert letters to their ascii code equivalents, you could try something like this

|makeresults
|eval fielda="a"
|eval char=printf("0x%X",tonumber(fielda,36)+55)
|table fielda char

This issue with this is that it doesn't work consistently for all letters, indeed, the values returned are for the uppercase letters even if a lowercase letter is used. To get the right value returned, you would have to play about with the value being added for different ranges of letters

Typecasting String to Hex/Dec/Oct

eval

other

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM