Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

ip address in non usual format

changux
Builder
‎06-05-2015 08:16 AM

Hi all. I have a mcafee logging in a SQL database with a field:

sourceip=739840322

How i can traslate this Ip to a standard IP format?

What format is that?

Regards.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎06-05-2015 08:27 AM

If I had to guess, that looks like the decimal representation of an IPv4 address.

If we convert to that number to Hex, you wind up with 2C191142

which if we take as a byte at a time translates to: 44.25.17.66

A first pass at eval statements to make the conversion is: 

base search
| eval remainder=sourceip
| eval firstoctet=floor(remainder/pow(256,3)) | eval remainder=remainder-(firstoctet*pow(256,3))
| eval secondoctet=floor(remainder/pow(256,2)) | eval remainder=remainder-secondoctet*pow(256,2)
| eval thirdoctet=floor(remainder/pow(256,1)) | eval remainder=remainder-thirdoctet*pow(256,1)
| eval sourceip_string=firstoctet+"."+secondoctet+"."+thirdoctet+"."+remainder
| fields sourceip*

But of course that assumes you only have IPv4 addresses stored there and it feels very clunky, but it works.

View solution in original post

Reply
Solved! Jump to solution

jrizzo_splunk
Splunk Employee
Splunk Employee
‎06-09-2015 01:53 PM

I wrote a command to do this. I uploaded it to github: https://github.com/rzzldzzl/splunk_dec2ip_command

Example:

$ splunk search '| stats count | fields - count | eval dec_ip="739840322" | dec_ip ip4'
 dec_ip       ip4
--------- -----------
739840322 44.25.17.66

Joe

Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎06-05-2015 08:27 AM

If I had to guess, that looks like the decimal representation of an IPv4 address.

If we convert to that number to Hex, you wind up with 2C191142

which if we take as a byte at a time translates to: 44.25.17.66

A first pass at eval statements to make the conversion is: 

base search
| eval remainder=sourceip
| eval firstoctet=floor(remainder/pow(256,3)) | eval remainder=remainder-(firstoctet*pow(256,3))
| eval secondoctet=floor(remainder/pow(256,2)) | eval remainder=remainder-secondoctet*pow(256,2)
| eval thirdoctet=floor(remainder/pow(256,1)) | eval remainder=remainder-thirdoctet*pow(256,1)
| eval sourceip_string=firstoctet+"."+secondoctet+"."+thirdoctet+"."+remainder
| fields sourceip*

But of course that assumes you only have IPv4 addresses stored there and it feels very clunky, but it works.

Reply
Solved! Jump to solution

acharlieh
Influencer
‎06-05-2015 08:36 AM

Translating this process to eval statements will take a bit of finagling and I'll have to come back to it later, as the hex string could be variable length, and you'd want to split into up to 2 character segments starting from the back and working forward. strike that, you'd want to do divisions of powers of 256

0 Karma
Reply
Solved! Jump to solution

changux
Builder
‎06-05-2015 08:50 AM

My field is named sourceip4, how i can use with your suggestion?

0 Karma
Reply
Solved! Jump to solution

acharlieh
Influencer
‎06-05-2015 08:52 AM

Change the first line: | eval remainder=sourceip to | eval remainder=sourceip4 You may want to also look at playing with the last eval (where all the octets are assembled) and the fields to clean up the steps in the middle.

0 Karma
Reply
Solved! Jump to solution

changux
Builder
‎06-05-2015 08:39 AM

Any suggestion of eval to do the change?

0 Karma
Reply
Solved! Jump to solution

acharlieh
Influencer
‎06-05-2015 08:48 AM

I made a first pass at a chain of several. That could likely be cleaned up to get down to one or two, but it'd take some finagling. The fields command probably you'd want to adjust to get rid of the in progress steps.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...