Hello Experts,
I have a field called "src" which contains IP addresses in decimal format but I want to change the format to IPv4. I have an eval as mentioned below:
WORKS FINE FOR INLINE SEARCH
eval remainder=src | eval firstoctet=floor(remainder/pow(256,3)) | eval remainder=remainder-(firstoctet*pow(256,3)) | eval secondoctet=floor(remainder/pow(256,2)) | eval remainder=remainder-secondoctet*pow(256,2) | eval thirdoctet=floor(remainder/pow(256,1)) | eval remainder=remainder-thirdoctet*pow(256,1) | eval src_ip=firstoctet+"."+secondoctet+"."+thirdoctet+"."+remainder
DOESN'T WORK FINE WHEN USED IN PROPS.CONF
eval-remainder=src | eval firstoctet=floor(remainder/pow(256,3)) | eval remainder=remainder-(firstoctet*pow(256,3)) | eval secondoctet=floor(remainder/pow(256,2)) | eval remainder=remainder-secondoctet*pow(256,2) | eval thirdoctet=floor(remainder/pow(256,1)) | eval remainder=remainder-thirdoctet*pow(256,1) | eval src_ip=firstoctet+"."+secondoctet+"."+thirdoctet+"."+remainder
Help required. Thanks in advance.
There are several apps that give you search commands that will solve this problem now. Just google "splunkbase decimaltoip".
Hi!
You could add this in props.conf (this is two lines, one for DestinationIP-field and one for ClientIP;
EVAL-dst = if(DestinationIP!=0,tostring(floor(if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)/16777216))+"."+tostring(floor((if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)-floor(if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)/16777216)*16777216)/65536))+"."+tostring(floor((if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)-(floor(if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)/16777216)*16777216+floor((if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)-floor(if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)/16777216)*16777216)/65536)*65536))/256))+"."+tostring(if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)-(floor(if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)/16777216)*16777216+floor((if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)-floor(if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)/16777216)*16777216)/65536)*65536+floor((if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)-(floor(if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)/16777216)*16777216+floor((if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)-floor(if(DestinationIP<1,DestinationIP+2147483648,DestinationIP)/16777216)*16777216)/65536)*65536))/256)*256)),0)
EVAL-src = if(ClientIP!=0,tostring(floor(if(ClientIP<1,ClientIP+2147483648,ClientIP)/16777216))+"."+tostring(floor((if(ClientIP<1,ClientIP+2147483648,ClientIP)-floor(if(ClientIP<1,ClientIP+2147483648,ClientIP)/16777216)*16777216)/65536))+"."+tostring(floor((if(ClientIP<1,ClientIP+2147483648,ClientIP)-(floor(if(ClientIP<1,ClientIP+2147483648,ClientIP)/16777216)*16777216+floor((if(ClientIP<1,ClientIP+2147483648,ClientIP)-floor(if(ClientIP<1,ClientIP+2147483648,ClientIP)/16777216)*16777216)/65536)*65536))/256))+"."+tostring(if(ClientIP<1,ClientIP+2147483648,ClientIP)-(floor(if(ClientIP<1,ClientIP+2147483648,ClientIP)/16777216)*16777216+floor((if(ClientIP<1,ClientIP+2147483648,ClientIP)-floor(if(ClientIP<1,ClientIP+2147483648,ClientIP)/16777216)*16777216)/65536)*65536+floor((if(ClientIP<1,ClientIP+2147483648,ClientIP)-(floor(if(ClientIP<1,ClientIP+2147483648,ClientIP)/16777216)*16777216+floor((if(ClientIP<1,ClientIP+2147483648,ClientIP)-floor(if(ClientIP<1,ClientIP+2147483648,ClientIP)/16777216)*16777216)/65536)*65536))/256)*256)),0)
You can only use one expression in one props.conf EVAL entry, not multiple expressions together. I believe, due to multiple expressions and their inter-dependency, this would be better implemented using search macro. See this for more details
http://docs.splunk.com/Documentation/Splunk/6.3.4/Knowledge/Usesearchmacros
Eval works different in props.conf ... has a different syntax and it's one eval per line... like below:
[sourcetypeName]
EVAL-evaluationNameOfYourChoice = x / y
EVAL-UniqueEvaluationNameOfYourChoice = x / 5
etc
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
Ok,
Since you cant do this in props.conf I wanted to provide you with a custom splunk search command to help you and anyone else with this task. The python script is called decimalToIPv4.py but you can name it whatever you like in your commands.conf.
http://pastebin.com/ESy12auk <- keeps syntax a bit better, but also pasting code below in case pastebin deletes the paste.
# splunk search command to give ipv4 equivalent of decimal ip field named src
# written by: Michael Bentley (michael@bentleypc.com)
import splunk.Intersplunk
import splunk.mining.dcutils as dcu
# use splunk logger (sends to _internal index)
logger = dcu.getLogger()
try:
# function to covert from decimal to ipv4
def decimalToIPv4(results):
for result in results:
if result["src"]: # change "src" to field name you desire if decimal ip is in different field
decIP = int(result["src"]) # change "src" to field name you desire if decimal ip is in different field
firstOctet = int(decIP/16777216)
secondOctet = int((decIP-(firstOctet*16777216))/65536)
thirdOctet = int((decIP-(firstOctet*16777216)-(secondOctet*65536))/ 256)
fourthOctet = int((decIP-(firstOctet*16777216)-(secondOctet*65536)-(thirdOctet*256)))
result["ipv4"] = str(firstOctet) + "." + str(secondOctet) + "." + str(thirdOctet) + "." + str(fourthOctet)
return results
# get the previous search results
results,dummy,settings = splunk.Intersplunk.getOrganizedResults()
# return the previous search results
splunk.Intersplunk.outputResults(decimalToIPv4(results))
except Exception as e:
logger.error(e)
So here's how to deploy it:
Copy the above into a file name decimalToIPv4.py and put the file in your splunk app's bin folder.
In the same splunk app's local folder, create a commands.conf that looks like this (or append this to your current commands.conf):
[decimaltoip] #this is the name of the command as it will be used in splunk
filename = decimalToIPv4.py
Make sure it has execute permisisons on the .py file and that the user splunk runs as has permission on the file as well.
Then use it in search like the photo below shows it (it creates a field named ipv4):
If you change the decimal ip field from src, you'll need to edit decimalToIPv4.py (lines 14 & 15)
@splunk_kk what do you think about my solution?
if you'll sit tight, i'm developing a custom splunk search command to do the job for you because you cant do the logic in props.conf because evals happen simultaneously and not sequentially.