Splunk Search

How to convert an IP address via props.conf and transforms.conf from HEX to decimal format?

splunknewby
Path Finder

I have set up a forwarder on my machine to send netflow data from a directory into splunk. The setup is as follows:

Directory: /home/user/Documents/netflowstuff
file1.json
file2.json

each json file as multiple entries/lines in the following form:

{"source":"XYZ", "srcaddr":"C0A80101".........................................etc}

When searching, I use:

index=main | rex field=srcaddr "(?i)(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})" | eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16))

to convert the IP address from hex to decimal.

What I want to do however: is have splunk ingest the IP address in decimal from the start without having to run this search. How do I go about configuring props.conf and transforms.conf to accomplish this?

0 Karma

MuS
SplunkTrust
SplunkTrust

btw, why do you asked this again http://answers.splunk.com/answers/241068/how-to-convert-indexed-ip-data-from-hex-to-decimal.html ? Splunk features did not change since the last question 🙂

0 Karma

woodcock
Esteemed Legend

I do not know of any way to do this at index-time but it can be done automatically at search time by abusing a calculated field after switching to an eval-only solution (not using rex) like this in props.conf:

[MySourceType]
EVAL-JuNkT3Mp0 = floor(srcaddr/16777216) | eval JuNkT3Mpx=srcaddr%16777216 | eval JuNkT3Mp1=floor(JuNkT3Mpx/65536) | eval JuNkT3Mpx=JuNkT3Mpx%65536 | eval JuNkT3Mp2=floor(JuNkT3Mpx/256) | eval JuNkT3Mp3=JuNkT3Mpx%256 | strcat JuNkT3Mp0 "." JuNkT3Mp1 "." JuNkT3Mp2 "." JuNkT3Mp3 ip | fields - JuNkT3Mp*

Note: this is untested but should work.

0 Karma

dflodstrom
Builder

You will only be able to use regex/SEDCMD during index time so it looks like evaluating this field at search time is your best option. The command 'tonumber' should do the trick.

http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/CommonEvalFunctions

This function converts the input string NUMSTR to a number, where BASE is optional and used to define the base of the number to convert to. BASE can be 2..36, and defaults to 10. If tonumber cannot parse a field value to a number, the function returns NULL. If tonumber cannot parse a literal string to a number, it throws an error.

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

I'm not sure how'd I'd use props and transforms to do this. Although not directly answering your question, you could automate this process more by adding permanent field extractions for the rex, and a calculated field for the the eval.

http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/Createandmaintainsearch-timefieldextract...

http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/definecalcfields

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

I'm not sure how'd I'd use props and transforms to do this. Although not directly answering your question, you could automate this process more by adding permanent field extractions for the rex, and a calculated field for the the eval.

http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/Createandmaintainsearch-timefieldextract...

http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/definecalcfields

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...