Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to convert IP to decimal

KwonTaeHoon
Path Finder
2 weeks ago

Hello

My lookup table has fields of src_ip, dst_ip, and description.

src_ip=192.168.1.1

dst_ip=192.168.1.100

description="internal IP"

I want to convert the src_ip field and dst_ip to decimal.

If you know how to convert it, please add a reply.

 

Thank you

Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
2 weeks ago

Let me give this a semantic makeover using bit_shift_left😃 (9.2 and above - thanks @jason_hotchkiss for noticing) because semantic code is easier to understand and maintain.

 

| eval offset = mvappend("24", "16", "8")
| eval segment_rev = mvrange(0, 3)
| foreach *_ip
    [eval <<FIELD>> = split(<<FIELD>>, "."),
    <<FIELD>>_dec = sum(mvmap(segment_rev, bit_shift_left(tonumber(mvindex(<<FIELD>>, segment_rev)), tonumber(mvindex(offset, segment_rev)))), tonumber(mvindex(<<FIELD>>, 3))),
    <<FIELD>> = mvjoin(<<FIELD>>, ".") ``` this last part for display only ```]
| fields - offset segment_rev

 

The sample data gives

dst_ipdst_ip_decsrc_ipsrc_ip_dec
192.168.1.1003232235876192.168.1.13232235777

Here is an emulation you can play with and compare with real data

 

 

| makeresults format=csv data="src_ip, dst_ip
192.168.1.1, 192.168.1.100"
``` data emulation above ```

 

 

Note: If it helps readability., you can skip foreach and spell the two operations separately.

 

| eval offset = mvappend("24", "16", "8")
| eval segment_rev = mvrange(0, 3)
| eval src_ip = split(src_ip, ".")
| eval dst_ip = split(dst_ip, ".")
| eval src_ip_dec = sum(mvmap(segment_rev, bit_shift_left(tonumber(mvindex(src_ip, segment_rev)), tonumber(mvindex(offset, segment_rev)))), tonumber(mvindex(src_ip, 3)))
| eval dst_ip_dec = sum(mvmap(segment_rev, bit_shift_left(tonumber(mvindex(dst_ip, segment_rev)), tonumber(mvindex(offset, segment_rev)))), tonumber(mvindex(dst_ip, 3)))
| eval src_ip = mvjoin(src_ip, "."), dst_ip = mvjoin(dst_ip, ".") ``` for display only ```
| fields - offset segment_rev

 

 

 

 

Reply

jason_hotchkiss
Communicator
2 weeks ago

 

 

 

| eval offset = mvappend("24", "16", "8")
| eval segment_rev = mvrange(0, 3)
| eval offset = mvappend("24", "16", "8")
| eval segment_rev = mvrange(0, 3)

 

 

 

 
For the above, should the second set have been given a different value for the field? 

Additionally, when I run the example, I received:

04-18-2024 13:36:06.590 ERROR EvalCommand [102993 searchOrchestrator] - The 'bit_shift_left' function is unsupported or undefined.

I believe the function requires 9.2.0+

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
2 weeks ago
04-18-2024 13:36:06.590 ERROR EvalCommand [102993 searchOrchestrator] - The 'bit_shift_left' function is unsupported or undefined.

I believe the function requires 9.2.0+

Thanks for noticing!  I always assumed that bitwise operations had been part of SPL from day one but no.  The document has this footer: "This documentation applies to the following versions of Splunk® Enterprise: 9.2.0, 9.2.1." (Searching in previous versions results in the same pointers to 9.2.)

For the above, should the second set have been given a different value for the field?

Those are really bad copy-and-paste errors.  Corrected.

0 Karma
Reply

jason_hotchkiss
Communicator
2 weeks ago

Take a look at this solution:  

https://community.splunk.com/t5/Splunk-Search/Convert-Hexadecimal-IP-v4-addresses-to-decimal/td-p/40...

You could use:  (?<d1>\d{1,3})\.(?<d2>\d{1,3})\.(?<d3>\d{1,3})\.(?<d4>\d{1,3}) for your particular example as the rex conversion.

| makeresults count=1
| eval src_ip = "192.168.1.1"
| streamstats values(src_ip) as src_ip by _time
| rex field=src_ip "(?<d1>\d{1,3})\.(?<d2>\d{1,3})\.(?<d3>\d{1,3})\.(?<d4>\d{1,3})"
| eval dec_src_ip = 'd1'*16777216+'d2'*65536+'d3'*256+'d4'+0



There is also an app that provides you a command to do the conversion:  
https://splunkbase.splunk.com/app/512

 

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...