Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to convert IP to decimal

KwonTaeHoon
Path Finder
‎04-17-2024 06:30 AM

Hello

My lookup table has fields of src_ip, dst_ip, and description.

src_ip=192.168.1.1

dst_ip=192.168.1.100

description="internal IP"

I want to convert the src_ip field and dst_ip to decimal.

If you know how to convert it, please add a reply.

 

Thank you

Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎04-17-2024 04:35 PM

Let me give this a semantic makeover using bit_shift_left😃 (9.2 and above - thanks @jason_hotchkiss for noticing) because semantic code is easier to understand and maintain.

 

| eval offset = mvappend("24", "16", "8")
| eval segment_rev = mvrange(0, 3)
| foreach *_ip
    [eval <<FIELD>> = split(<<FIELD>>, "."),
    <<FIELD>>_dec = sum(mvmap(segment_rev, bit_shift_left(tonumber(mvindex(<<FIELD>>, segment_rev)), tonumber(mvindex(offset, segment_rev)))), tonumber(mvindex(<<FIELD>>, 3))),
    <<FIELD>> = mvjoin(<<FIELD>>, ".") ``` this last part for display only ```]
| fields - offset segment_rev

 

The sample data gives

dst_ipdst_ip_decsrc_ipsrc_ip_dec
192.168.1.1003232235876192.168.1.13232235777

Here is an emulation you can play with and compare with real data

 

 

| makeresults format=csv data="src_ip, dst_ip
192.168.1.1, 192.168.1.100"
``` data emulation above ```

 

 

Note: If it helps readability., you can skip foreach and spell the two operations separately.

 

| eval offset = mvappend("24", "16", "8")
| eval segment_rev = mvrange(0, 3)
| eval src_ip = split(src_ip, ".")
| eval dst_ip = split(dst_ip, ".")
| eval src_ip_dec = sum(mvmap(segment_rev, bit_shift_left(tonumber(mvindex(src_ip, segment_rev)), tonumber(mvindex(offset, segment_rev)))), tonumber(mvindex(src_ip, 3)))
| eval dst_ip_dec = sum(mvmap(segment_rev, bit_shift_left(tonumber(mvindex(dst_ip, segment_rev)), tonumber(mvindex(offset, segment_rev)))), tonumber(mvindex(dst_ip, 3)))
| eval src_ip = mvjoin(src_ip, "."), dst_ip = mvjoin(dst_ip, ".") ``` for display only ```
| fields - offset segment_rev

 

 

 

 

Reply

jason_hotchkiss
Communicator
‎04-18-2024 06:33 AM

 

 

 

| eval offset = mvappend("24", "16", "8")
| eval segment_rev = mvrange(0, 3)
| eval offset = mvappend("24", "16", "8")
| eval segment_rev = mvrange(0, 3)

 

 

 

 
For the above, should the second set have been given a different value for the field? 

Additionally, when I run the example, I received:

04-18-2024 13:36:06.590 ERROR EvalCommand [102993 searchOrchestrator] - The 'bit_shift_left' function is unsupported or undefined.

I believe the function requires 9.2.0+

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎04-18-2024 09:45 AM
04-18-2024 13:36:06.590 ERROR EvalCommand [102993 searchOrchestrator] - The 'bit_shift_left' function is unsupported or undefined.

I believe the function requires 9.2.0+

Thanks for noticing!  I always assumed that bitwise operations had been part of SPL from day one but no.  The document has this footer: "This documentation applies to the following versions of Splunk® Enterprise: 9.2.0, 9.2.1." (Searching in previous versions results in the same pointers to 9.2.)

For the above, should the second set have been given a different value for the field?

Those are really bad copy-and-paste errors.  Corrected.

0 Karma
Reply

jason_hotchkiss
Communicator
‎04-17-2024 07:10 AM

Take a look at this solution:  

https://community.splunk.com/t5/Splunk-Search/Convert-Hexadecimal-IP-v4-addresses-to-decimal/td-p/40...

You could use:  (?<d1>\d{1,3})\.(?<d2>\d{1,3})\.(?<d3>\d{1,3})\.(?<d4>\d{1,3}) for your particular example as the rex conversion.

| makeresults count=1
| eval src_ip = "192.168.1.1"
| streamstats values(src_ip) as src_ip by _time
| rex field=src_ip "(?<d1>\d{1,3})\.(?<d2>\d{1,3})\.(?<d3>\d{1,3})\.(?<d4>\d{1,3})"
| eval dec_src_ip = 'd1'*16777216+'d2'*65536+'d3'*256+'d4'+0



There is also an app that provides you a command to do the conversion:  
https://splunkbase.splunk.com/app/512

 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...