Converting IP addresses from Hex to normal format in Splunk

Question

How do you convert IP address data in a splunk field from HEX to the normal 4 octet format?

I'm sure you could do it via transforms.conf on the originating forwarder but to be honest it's probably easier to change the original output, what's generating this output? — Chopper3, Jun 04 '15 at 00:26

score 0 · Answer 1 · answered Jun 03 '15 at 23:52

I don't know about "in Splunk", but the conversion is easy - take two hex digits for each octet, put dots between them, convert each pair to decimal.

Many languages have a conversion function, otherwise for a one-off use http://www.binaryhexconverter.com/hex-to-decimal-converter.

e.g. C0A8FE01 -> C0.A8.FE.01 -> 192.A8.FE.01 -> 192.168.FE.01 -> 192.168.254.1

1 Answers1