If I had to guess, that looks like the decimal representation of an IPv4 address.
If we convert to that number to Hex, you wind up with 2C191142
which if we take as a byte at a time translates to: 44.25.17.66
A first pass at eval statements to make the conversion is:
base search
| eval remainder=sourceip
| eval firstoctet=floor(remainder/pow(256,3)) | eval remainder=remainder-(firstoctet*pow(256,3))
| eval secondoctet=floor(remainder/pow(256,2)) | eval remainder=remainder-secondoctet*pow(256,2)
| eval thirdoctet=floor(remainder/pow(256,1)) | eval remainder=remainder-thirdoctet*pow(256,1)
| eval sourceip_string=firstoctet+"."+secondoctet+"."+thirdoctet+"."+remainder
| fields sourceip*
But of course that assumes you only have IPv4 addresses stored there and it feels very clunky, but it works.
I wrote a command to do this. I uploaded it to github: https://github.com/rzzldzzl/splunk_dec2ip_command
Example:
$ splunk search '| stats count | fields - count | eval dec_ip="739840322" | dec_ip ip4'
dec_ip ip4
--------- -----------
739840322 44.25.17.66
Joe
If I had to guess, that looks like the decimal representation of an IPv4 address.
If we convert to that number to Hex, you wind up with 2C191142
which if we take as a byte at a time translates to: 44.25.17.66
A first pass at eval statements to make the conversion is:
base search
| eval remainder=sourceip
| eval firstoctet=floor(remainder/pow(256,3)) | eval remainder=remainder-(firstoctet*pow(256,3))
| eval secondoctet=floor(remainder/pow(256,2)) | eval remainder=remainder-secondoctet*pow(256,2)
| eval thirdoctet=floor(remainder/pow(256,1)) | eval remainder=remainder-thirdoctet*pow(256,1)
| eval sourceip_string=firstoctet+"."+secondoctet+"."+thirdoctet+"."+remainder
| fields sourceip*
But of course that assumes you only have IPv4 addresses stored there and it feels very clunky, but it works.
Translating this process to eval statements will take a bit of finagling and I'll have to come back to it later, as the hex string could be variable length, and you'd want to split into up to 2 character segments starting from the back and working forward. strike that, you'd want to do divisions of powers of 256
My field is named sourceip4, how i can use with your suggestion?
Change the first line: | eval remainder=sourceip
to | eval remainder=sourceip4
You may want to also look at playing with the last eval (where all the octets are assembled) and the fields to clean up the steps in the middle.
Any suggestion of eval to do the change?
I made a first pass at a chain of several. That could likely be cleaned up to get down to one or two, but it'd take some finagling. The fields command probably you'd want to adjust to get rid of the in progress steps.