I have a field in the logs, that is a Bit-field.
Is there a way, a function to translate those field in a human readable mvfield ?
Here is a bitfield translation example :
1 test1
2 test2
4 test3
8 test4
What I would like, is a way to translate "3" in "test1,test2)
I would enjoy a | bitlookup bittranslation.csv bitfield
But I guess I would have seen it already, if there were one 😉
Extract using math:
|stats count | eval bitfield = 5 | eval numfield1=(bitfield % 2) | eval numfield2 = floor(bitfield / 2) % 2 | eval numfield3 = floor(bitfield / 4) % 2
or...
Extracting with a CSV:
|stats count | eval bitfield = 5 | lookup bitlookup.csv bitfield OUTPUT bitnames | makemv delim="|" bitnames
$ cat bitlookup.csv
bitfield,bitnames
0,b0
1,b1
2,b2
3,b1|b2
4,b4
5,b1|b4
6,b2|b4
7,b1|b2|b4
8,b8
9,b1|b8
10,b2|b8
11,b1|b2|b8
12,b4|b8
13,b1|b4|b8
14,b2|b4|b8
15,b1|b2|b4|b8
Extract using math:
|stats count | eval bitfield = 5 | eval numfield1=(bitfield % 2) | eval numfield2 = floor(bitfield / 2) % 2 | eval numfield3 = floor(bitfield / 4) % 2
or...
Extracting with a CSV:
|stats count | eval bitfield = 5 | lookup bitlookup.csv bitfield OUTPUT bitnames | makemv delim="|" bitnames
$ cat bitlookup.csv
bitfield,bitnames
0,b0
1,b1
2,b2
3,b1|b2
4,b4
5,b1|b4
6,b2|b4
7,b1|b2|b4
8,b8
9,b1|b8
10,b2|b8
11,b1|b2|b8
12,b4|b8
13,b1|b4|b8
14,b2|b4|b8
15,b1|b2|b4|b8
Use MATH
bitfield = 2^(x-1)
(because your first bitfield is not 0 but 1, hence the x-1 instead of x)
So,
x-1 = log2(bitfield)
And finally
x = log2(bitfield)+1
So when bitfield is 8, log2(bitfield) is 3, and so x = 3+1 = 4.
eval
has the log(number,base)
function that you can use for doing this.
... | eval numfield=log(bitfield,2)+1
If I have a bit field set to 3, that means that I have the bit 1 and 2 set. That why I need a function to check what bits are set
Well my understanding of the bitfield is that it would always be a 2 exponent? So it'd follow the pattern 1,2,4,8,16,32,...
In that case bitfield will never be 3.
I'm not sure to understand,
I've tried
|stats count | eval bitfield=3 | eval numfield=log(bitfield,2)+1
and I get numfield=2.58
I would need something like numfield=(1;2)..