Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

convert string to binary

khanlarloo
Explorer
‎06-10-2017 05:11 AM

hi
how can i convert string to the form of ip add.when i search the ip add it shows ip add in the form of string instead of ip add format.

is there any solution to convert string to binary format of ip add?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-13-2017 05:49 AM

Try this macro:

[IP32BitToDottedQuad(2)]
args = 32BitIP, newFieldName
definition = `comment("This creates a new field (the last arg) by converting \
a 32-bit packed IP address (the first arg) to Dotted-Quad format")` \
| rex field=$32BitIP$ "(?i)(?<JuNkT3Mp_1>[0-9A-F]{2})(?<JuNkT3Mp_2>[0-9A-F]{2})(?<JuNkT3Mp_3>[0-9A-F]{2})(?<JuNkT3Mp_4>[0-9A-F]{2})" \
| eval $newFieldName$ \
= tostring(tonumber(JuNkT3Mp_1,16)) + "." \
+ tostring(tonumber(JuNkT3Mp_2,16)) + "." \
+ tostring(tonumber(JuNkT3Mp_3,16)) + "." \
+ tostring(tonumber(JuNkT3Mp_4,16)) \
| eval $newFieldName$ = \
if((NOT match($newFieldName$, "Null")), $newFieldName$, "unconvertable") \
| fields - JuNkT3Mp_*
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-10-2017 10:30 AM

I'll just convert the quad string representation to the numeric address. After this, you can decide which representation to use for this value.

| regex field=ip "(?<quad4>\d+)\.(?<quad3>\d+)\.(?<quad2>\d+)\.(?<quad1>\d+)"
| eval NumericIP=quad4*pow(2,24) + quad3*pow(2,16) + quad2*pow(2,8) + quad1

There is no printf conversion to convert this numeric value into a binary representation, so you'll have to write your own using / and %.

0 Karma
Reply

maciep
Champion
‎06-10-2017 05:28 AM

do you have any example data you can share? And/Or could you elaborate a bit? What is the difference between the string representation and the IP address form?

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-10-2017 10:13 AM

I think it means to convert a quad format string representation of the numeric IP address into a binary representation of the numeric value. For example, the numeric value of 255.0.0.1 is 255*2^24 + 0*2^16 + 0*2^8 + 1*2 = (dec)4278190081 = (bin)11111111000000000000000000000001. Sometimes it is useful to use decimal string or hexadecimal string of the address value, but I really don't see what benefit could it be to use a binary string representation.

0 Karma
Reply

khanlarloo
Explorer
‎06-10-2017 05:36 AM

you can find a sample log file below

"May 13 17:55:05 192.168.10.16 May 13 17:55:05 wsm-2 attack: risk=Low, event=""Backend error"", proxy=""both://gsh:443"", proxy_id=31, log_id=3545324, source=""81.91.144.51"", violation=""General request violation"", path=""/content/assets/css/byekan.woff"", method=""GET"", node=""wsm-2.rb.snig.armandata.net"", action=""Allow"", time=""May 13 17:54:58 2017""","2017-05-13T17:55:05.000+0430",Allow,"81.91.144.51",17,13,55,may,5,saturday,2017,local,"Backend error",,,"192.168.10.16",main,1,3545324,GET,"wsm-2.rb.snig.armandata.net",,"/content/assets/css/byekan.woff",,attack,,"both://gsh:443",31,"::_...::-:=,="""",=""://..:"",=,=,=""...""",Low,"udp:514",syslog,SIEM,,,,"May 13 17:54:58 2017",15,0,,"General request violation"

as you see the source field contains IP address that i want extract it.
and use it in Choropleth Map
how can i do that.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...