I have set up a forwarder on my machine to send netflow data from a directory into splunk. The setup is as follows:
Directory: /home/user/Documents/netflowstuff
file1.json
file2.json
each json file as multiple entries/lines in the following form:
{"source":"XYZ", "srcaddr":"C0A80101".........................................etc}
When searching, I use:
index=main | rex field=srcaddr "(?i)(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})" | eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16))
to convert the IP address from hex to decimal.
What I want to do however: is have splunk ingest the IP address in decimal from the start without having to run this search. How do I go about configuring props.conf and transforms.conf to accomplish this?
btw, why do you asked this again http://answers.splunk.com/answers/241068/how-to-convert-indexed-ip-data-from-hex-to-decimal.html ? Splunk features did not change since the last question 🙂
I do not know of any way to do this at index-time but it can be done automatically at search time by abusing a calculated field
after switching to an eval
-only solution (not using rex
) like this in props.conf:
[MySourceType]
EVAL-JuNkT3Mp0 = floor(srcaddr/16777216) | eval JuNkT3Mpx=srcaddr%16777216 | eval JuNkT3Mp1=floor(JuNkT3Mpx/65536) | eval JuNkT3Mpx=JuNkT3Mpx%65536 | eval JuNkT3Mp2=floor(JuNkT3Mpx/256) | eval JuNkT3Mp3=JuNkT3Mpx%256 | strcat JuNkT3Mp0 "." JuNkT3Mp1 "." JuNkT3Mp2 "." JuNkT3Mp3 ip | fields - JuNkT3Mp*
Note: this is untested but should work.
You will only be able to use regex/SEDCMD during index time so it looks like evaluating this field at search time is your best option. The command 'tonumber' should do the trick.
http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/CommonEvalFunctions
This function converts the input string NUMSTR to a number, where BASE is optional and used to define the base of the number to convert to. BASE can be 2..36, and defaults to 10. If tonumber cannot parse a field value to a number, the function returns NULL. If tonumber cannot parse a literal string to a number, it throws an error.
I'm not sure how'd I'd use props and transforms to do this. Although not directly answering your question, you could automate this process more by adding permanent field extractions for the rex, and a calculated field for the the eval.
http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/definecalcfields
I'm not sure how'd I'd use props and transforms to do this. Although not directly answering your question, you could automate this process more by adding permanent field extractions for the rex, and a calculated field for the the eval.
http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/definecalcfields