Solved: ip address in non usual format

changux · ‎06-05-2015

Hi all. I have a mcafee logging in a SQL database with a field:

sourceip=739840322

How i can traslate this Ip to a standard IP format?

What format is that?

Regards.

acharlieh · ‎06-05-2015

If I had to guess, that looks like the decimal representation of an IPv4 address.

If we convert to that number to Hex, you wind up with 2C191142

which if we take as a byte at a time translates to: 44.25.17.66

A first pass at eval statements to make the conversion is:

base search
| eval remainder=sourceip
| eval firstoctet=floor(remainder/pow(256,3)) | eval remainder=remainder-(firstoctet*pow(256,3))
| eval secondoctet=floor(remainder/pow(256,2)) | eval remainder=remainder-secondoctet*pow(256,2)
| eval thirdoctet=floor(remainder/pow(256,1)) | eval remainder=remainder-thirdoctet*pow(256,1)
| eval sourceip_string=firstoctet+"."+secondoctet+"."+thirdoctet+"."+remainder
| fields sourceip*

But of course that assumes you only have IPv4 addresses stored there and it feels very clunky, but it works.

View solution in original post

jrizzo_splunk · ‎06-09-2015

I wrote a command to do this. I uploaded it to github: https://github.com/rzzldzzl/splunk_dec2ip_command

Example:

$ splunk search '| stats count | fields - count | eval dec_ip="739840322" | dec_ip ip4'
 dec_ip       ip4
--------- -----------
739840322 44.25.17.66

Joe

acharlieh · ‎06-05-2015

If I had to guess, that looks like the decimal representation of an IPv4 address.

If we convert to that number to Hex, you wind up with 2C191142

which if we take as a byte at a time translates to: 44.25.17.66

A first pass at eval statements to make the conversion is:

base search
| eval remainder=sourceip
| eval firstoctet=floor(remainder/pow(256,3)) | eval remainder=remainder-(firstoctet*pow(256,3))
| eval secondoctet=floor(remainder/pow(256,2)) | eval remainder=remainder-secondoctet*pow(256,2)
| eval thirdoctet=floor(remainder/pow(256,1)) | eval remainder=remainder-thirdoctet*pow(256,1)
| eval sourceip_string=firstoctet+"."+secondoctet+"."+thirdoctet+"."+remainder
| fields sourceip*

But of course that assumes you only have IPv4 addresses stored there and it feels very clunky, but it works.

acharlieh · ‎06-05-2015

Translating this process to eval statements will take a bit of finagling and I'll have to come back to it later, as the hex string could be variable length, and you'd want to split into up to 2 character segments starting from the back and working forward. strike that, you'd want to do divisions of powers of 256

changux · ‎06-05-2015

My field is named sourceip4, how i can use with your suggestion?

acharlieh · ‎06-05-2015

Change the first line: | eval remainder=sourceip to | eval remainder=sourceip4 You may want to also look at playing with the last eval (where all the octets are assembled) and the fields to clean up the steps in the middle.

changux · ‎06-05-2015

Any suggestion of eval to do the change?

acharlieh · ‎06-05-2015

I made a first pass at a chain of several. That could likely be cleaned up to get down to one or two, but it'd take some finagling. The fields command probably you'd want to adjust to get rid of the in progress steps.

ip address in non usual format

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms