Splunk Search

Convert Hexadecimal IP(v4) addresses to decimal?

NK_1
Path Finder

Logged output is like:
... ip: 0xAABBCCDD, ...

I'd like to convert the AABBCCDD to 170.187.204.221, and map the locations.

I'm currently doing:

sourcetype=MySource daysago=1 | rex field=_raw "(?i)0x(?P[^,]+)" | eval d1=tonumber(substr(hip,1,2), 16) | eval d2=tonumber(substr(hip,3,2), 16) | eval d3=tonumber(substr(hip,5,2), 16) | eval d4=tonumber(substr(hip,7,2), 16) | eval dip=d1+"."+d2+"."+d3+"."+d4 | geoip dip

Any more efficient method of doing the conversion?

Thanks.

Tags (3)
1 Solution

ziegfried
Influencer

One thing that will probably make it more efficient is to reduce the number of operations:

... | rex "(?i)0x(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})"
| eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16)) | geoip ip

Since the geoip command is converting the IP back to an integer, it might be a good idea to extend the command to allow the processing of integer values directly. I'll probably add this in the future.

View solution in original post

ziegfried
Influencer

One thing that will probably make it more efficient is to reduce the number of operations:

... | rex "(?i)0x(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})"
| eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16)) | geoip ip

Since the geoip command is converting the IP back to an integer, it might be a good idea to extend the command to allow the processing of integer values directly. I'll probably add this in the future.

Wiggy
Splunk Employee
Splunk Employee

I tried some sample events myself and it looks like you have a pretty good solution here.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...