Splunk Search

Bitfield lookup

sbsbb
Builder

I have a field in the logs, that is a Bit-field.
Is there a way, a function to translate those field in a human readable mvfield ?

Here is a bitfield translation example :
1 test1
2 test2
4 test3
8 test4

What I would like, is a way to translate "3" in "test1,test2)

I would enjoy a | bitlookup bittranslation.csv bitfield
But I guess I would have seen it already, if there were one 😉

0 Karma
1 Solution

sciurus
Path Finder

Extract using math:

  • divide by 2^n to shift the value right by n bits
  • modulo by 2 to get the low bit

|stats count | eval bitfield = 5 | eval numfield1=(bitfield % 2) | eval numfield2 = floor(bitfield / 2) % 2 | eval numfield3 = floor(bitfield / 4) % 2

or...

Extracting with a CSV:

|stats count | eval bitfield = 5 | lookup bitlookup.csv bitfield OUTPUT bitnames | makemv delim="|" bitnames

$ cat bitlookup.csv

bitfield,bitnames
0,b0
1,b1
2,b2
3,b1|b2
4,b4
5,b1|b4
6,b2|b4
7,b1|b2|b4
8,b8
9,b1|b8
10,b2|b8
11,b1|b2|b8
12,b4|b8
13,b1|b4|b8
14,b2|b4|b8
15,b1|b2|b4|b8

View solution in original post

0 Karma

sciurus
Path Finder

Extract using math:

  • divide by 2^n to shift the value right by n bits
  • modulo by 2 to get the low bit

|stats count | eval bitfield = 5 | eval numfield1=(bitfield % 2) | eval numfield2 = floor(bitfield / 2) % 2 | eval numfield3 = floor(bitfield / 4) % 2

or...

Extracting with a CSV:

|stats count | eval bitfield = 5 | lookup bitlookup.csv bitfield OUTPUT bitnames | makemv delim="|" bitnames

$ cat bitlookup.csv

bitfield,bitnames
0,b0
1,b1
2,b2
3,b1|b2
4,b4
5,b1|b4
6,b2|b4
7,b1|b2|b4
8,b8
9,b1|b8
10,b2|b8
11,b1|b2|b8
12,b4|b8
13,b1|b4|b8
14,b2|b4|b8
15,b1|b2|b4|b8
0 Karma

Ayn
Legend

Use MATH

bitfield = 2^(x-1)

(because your first bitfield is not 0 but 1, hence the x-1 instead of x)
So,

x-1 = log2(bitfield)

And finally

x = log2(bitfield)+1

So when bitfield is 8, log2(bitfield) is 3, and so x = 3+1 = 4.

eval has the log(number,base) function that you can use for doing this.

... | eval numfield=log(bitfield,2)+1

sbsbb
Builder

If I have a bit field set to 3, that means that I have the bit 1 and 2 set. That why I need a function to check what bits are set

0 Karma

Ayn
Legend

Well my understanding of the bitfield is that it would always be a 2 exponent? So it'd follow the pattern 1,2,4,8,16,32,...

In that case bitfield will never be 3.

0 Karma

sbsbb
Builder

I'm not sure to understand,
I've tried
|stats count | eval bitfield=3 | eval numfield=log(bitfield,2)+1

and I get numfield=2.58

I would need something like numfield=(1;2)..

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...