Skip to content

doksu/TA-ipconvert

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

TA-ipconvert

IP Format Conversion Scripted Lookup for Splunk

Splunk's built-in eval command can be used to perform IP address format conversion, however it's a complex and messy process that doesn't lend itself well to the mapping of IP address fields to the Common Information Model (CIM). This app provides an 'ipconvert' scripted lookup for converting IP addresses to and from an integer. With this app installed on the search head you can create a props.conf stanza to automatically convert an integer format IP address to a CIM-normalised string IP address field:

LOOKUP-example_src_ip = ipconvert integerfield AS ip_src OUTPUT stringfield AS src_ip

The lookup can also be used in-line with SPL. For example:

| stats count | eval src_ip_int="3232235521" | lookup ipconvert integerfield AS src_ip_int OUTPUT stringfield AS src_ip

Further documentation is provided in the wiki here: https://github.com/doksu/TA-ipconvert/wiki

About

IP Format Conversion Scripted Lookup for Splunk

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages