I have fields that contain long Hexidecimal numbers 000000000FFFF24CA110B
The prefix is the 0's and the four F's. So the only needed characters are the last 8 (2 for each octet of the IP address).
This number needs to be converted to an IP address but when I convert from Hex to Decimal, it doesn't recognize that there are 4 separate numbers in there, so I get a value of 2,###,###,### for each field.
How can I get around this without doing all kinds of splitting and re-merging functions?
I fear there's no easy way around it, but thought I would ask first.
If you could get a grok{} filter to parse your IP(hex) into four different fields, by forcing each two characters into a field using some regex magic, then you could place them into a dictionary, key-value style, and use a ruby{} filter to iterate through the dictionary and return the four fields in decimal, either as integer (.to_i(16) or .hex) or as string (.to_s.hex).
That helped a lot. I was able to get exactly what I needed by using a grok filter to get the IP address hex characters separated and then a ruby filter for the rest. However, I was told that using a grok filter for everything else is far more efficient (except for the conversion from hex to decimal).
So with that said, do you have a suggestion on how I can use grok to parse the hex number into pairs?
For example: my first filter changes the number from 000000000FFFF24CA110B to 24CA110B. Now I need to split that number into pairs (each octet) using grok rather than ruby. Character pairs are at positions (0,1) - (2,3) - (4,5) - (6,7)
Any idea how I might accomplish that?
My first code piece is this: grok { match => ["AP_TILIP", "00000000000000000000FFFF%{WORD:Local_IP_Hex}"] }
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.