https://community.splunk.com/t5/All-Apps-and-Add-ons/Defining-the-multiple-source-type-from-single-file-we-are-using/m-p/433594#M53223 <P>Hi All,</P> <P>As per Splunk Add-on for ISC BIND dns query and dns errors logs should be in different file however we have single file which has query and error logs together .</P> <P>Issue is what sourcetype should we define so that sourcetype are tagged based on the query or error logs.</P> <P>Current scenario :<BR /> query logs and error logs are written into single file . Let's say dns.logs</P> <P>Now in <STRONG>input.conf</STRONG> on Heavy Forwader</P> <P>[monitor:///opt/syslog-data/dnsserver/dns.log]<BR /> host_regex = .<EM>\/(.</EM>)\/\d\d\d\d-\d\d-\d\d.log<BR /> sourcetype = <STRONG>[what sourcetype should i define here ]</STRONG></P> <P><STRONG>props.conf</STRONG> </P> <P>[isc:bind:query]<BR /> REPORT-1_extract_field = isc_bind_query_extract_field_0<BR /> EVAL-message_type = "Query"<BR /> EVAL-query_type = "Query"<BR /> EVAL-vendor_product = "ISC:Bind"<BR /> LOOKUP-2_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity<BR /> LOOKUP-3_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category</P> <P>[isc:bind:queryerror]<BR /> REPORT-1_extract_field = isc_bind_queryerror_extract_field_0<BR /> EVAL-message_type = "Response"<BR /> EVAL-vendor_product = "ISC:Bind"<BR /> LOOKUP-2_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity<BR /> LOOKUP-3_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category<BR /> LOOKUP-4_look_up_extract = isc_bind_reply_code_lookup response_code OUTPUT reply_code</P> <P>[isc:bind:lameserver]<BR /> REPORT-1_extract_field = isc_bind_lameserver_extract_field_0<BR /> EVAL-app = "ISC:Bind"<BR /> EVAL-type = "alert"<BR /> LOOKUP-2_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity<BR /> LOOKUP-3_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category</P> <P>[isc:bind:network]<BR /> REPORT-1_extract_field = isc_bind_network_extract_field_0<BR /> REPORT-3_extract_field = isc_bind_network_extract_field_2<BR /> EVAL-ip = CASE(match(ip, "::"), "127.0.0.1", match(ip, ".*"), ip)<BR /> LOOKUP-4_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity<BR /> LOOKUP-5_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category<BR /> LOOKUP-6_look_up_extract = isc_bind_action_lookup vendor_action OUTPUT action</P> <P>[isc:bind:transfer]<BR /> REPORT-1_extract_field = isc_bind_transfer_extract_field_0<BR /> REPORT-3_extract_field = isc_bind_transfer_extract_field_2<BR /> REPORT-5_extract_field = isc_bind_transfer_extract_field_4<BR /> REPORT-7_extract_field = isc_bind_transfer_extract_field_6<BR /> EVAL-message_type = CASE(match(vendor_action, "sending notifies|sending notify to|notify to"), "Query", match(vendor_action, "notify response from"), "Response")<BR /> EVAL-query_type = CASE(match(vendor_action, "sending notifies|sending notify to|notify to"), "Notify")<BR /> EVAL-vendor_product = "ISC:Bind"<BR /> LOOKUP-8_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity<BR /> LOOKUP-9_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category<BR /> LOOKUP-10_look_up_extract = isc_bind_action_lookup vendor_action OUTPUT action<BR /> LOOKUP-11_look_up_extract = isc_bind_reply_code_lookup response_code OUTPUT reply_code</P> <P>transforms.conf</P> <P>[isc_bind_query_extract_field_0]<BR /> REGEX = (?:\s+queries:)?(?:\s+([^:]+):)?\s+client\s+([\w-.:]{1,100})#(\d{1,5})(?:\s+([^)]+))?:(?:\s+view\s+[^:]+:)?\s+query:\s+(?([\w-.:]{1,100}))?\s+([^\s]+)\s+([^\s]+)\s+<A href="https://community.splunk.com/%5B%5Es%5D*" target="_blank">+-</A>\s+(([\w-.:]{1,100}))$<BR /> FORMAT = vendor_severity::$1 src::$2 src_port::$3 query::$4 record_class::$5 record_type::$6 flag::$7 dest::$8</P> <P>[isc_bind_queryerror_extract_field_0]<BR /> REGEX = (?:\s+query-errors:)?(?:\s+([^:]+):)?\s+client\s+([\w-.:]{1,100})#(\d{1,5}):(?:\s+view\s+[^:]+:)?\s+query\s+failed\s+(([^)]+))\s+for\s+([\w-.:]{1,100})/([^/]+)/([^\s]+)\s+at\s+([^:]+):(\d+)$<BR /> FORMAT = vendor_severity::$1 src::$2 src_port::$3 response_code::$4 query::$5 record_class::$6 record_type::$7 file_name::$8 file_location::$9</P> <P>[isc_bind_lameserver_extract_field_0]<BR /> REGEX = (?:\s+lame-servers:)?(?:\s+([^:]+):)?\s+(error\s+(([^)]+))\s+resolving\s+'([\w-.:]{1,100})/([^/]+)/([^']+)':\s+([\w-.:]{1,100})#(\d{1,5}))$<BR /> FORMAT = vendor_severity::$1 body::$2 error_type::$3 query::$4 record_type::$5 record_class::$6 dest::$7 dest_port::$8</P> <P>[isc_bind_network_extract_field_0]<BR /> REGEX = (?:\s+network:)?(?:\s+([^:]+):)?\s+(no\s+longer\s+listening\s+on)\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}|::)#(\d{1,5})$<BR /> FORMAT = vendor_severity::$1 vendor_action::$2 ip::$3 port::$4</P> <P>[isc_bind_network_extract_field_2]<BR /> REGEX = (?:\s+network:)?(?:\s+([^:]+):)?\s+(listening\s+on)\s+([^\s]+)\s+interface\s+([^,]+),\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}|::)#(\d{1,5})$<BR /> FORMAT = vendor_severity::$1 vendor_action::$2 proto::$3 interface::$4 ip::$5 port::$6</P> <P>[isc_bind_transfer_extract_field_0]<BR /> REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(sending\s+notifies)\s+(serial\s+([^)]+))$<BR /> FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 serial_number::$5</P> <P>[isc_bind_transfer_extract_field_2]<BR /> REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(sending\s+notify\s+to)\s+([\w-.:]{1,100})#(\d{1,5})$<BR /> FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 dest::$5 dest_port::$6</P> <P>[isc_bind_transfer_extract_field_4]<BR /> REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(notify\s+to)\s+([\w-.:]{1,100})#(\d{1,5})(?:[^:]<EM>:)\s+(.</EM>)$<BR /> FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 dest::$5 dest_port::$6 detail::$7</P> <P>[isc_bind_transfer_extract_field_6]<BR /> REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(notify\s+response\s+from)\s+([\w-.:]{1,100})#(\d{1,5}):\s+(.*)$<BR /> FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 src::$5 src_port::$6 response_code::$7</P> <P>[isc_bind_severities_lookup]<BR /> filename = isc_bind_severities.csv</P> <P>[isc_bind_category_lookup]<BR /> filename = isc_bind_category.csv</P> <P>[isc_bind_reply_code_lookup]<BR /> filename = isc_bind_reply_code.csv</P> <P>[isc_bind_action_lookup]<BR /> filename = isc_bind_action.csv</P> <P>Thanks in advance </P> Tue, 29 Sep 2020 19:48:01 GMT sumitkathpal 2020-09-29T19:48:01Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Defining-the-multiple-source-type-from-single-file-we-are-using/m-p/433594#M53223 <P>Hi All,</P> <P>As per Splunk Add-on for ISC BIND dns query and dns errors logs should be in different file however we have single file which has query and error logs together .</P> <P>Issue is what sourcetype should we define so that sourcetype are tagged based on the query or error logs.</P> <P>Current scenario :<BR /> query logs and error logs are written into single file . Let's say dns.logs</P> <P>Now in <STRONG>input.conf</STRONG> on Heavy Forwader</P> <P>[monitor:///opt/syslog-data/dnsserver/dns.log]<BR /> host_regex = .<EM>\/(.</EM>)\/\d\d\d\d-\d\d-\d\d.log<BR /> sourcetype = <STRONG>[what sourcetype should i define here ]</STRONG></P> <P><STRONG>props.conf</STRONG> </P> <P>[isc:bind:query]<BR /> REPORT-1_extract_field = isc_bind_query_extract_field_0<BR /> EVAL-message_type = "Query"<BR /> EVAL-query_type = "Query"<BR /> EVAL-vendor_product = "ISC:Bind"<BR /> LOOKUP-2_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity<BR /> LOOKUP-3_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category</P> <P>[isc:bind:queryerror]<BR /> REPORT-1_extract_field = isc_bind_queryerror_extract_field_0<BR /> EVAL-message_type = "Response"<BR /> EVAL-vendor_product = "ISC:Bind"<BR /> LOOKUP-2_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity<BR /> LOOKUP-3_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category<BR /> LOOKUP-4_look_up_extract = isc_bind_reply_code_lookup response_code OUTPUT reply_code</P> <P>[isc:bind:lameserver]<BR /> REPORT-1_extract_field = isc_bind_lameserver_extract_field_0<BR /> EVAL-app = "ISC:Bind"<BR /> EVAL-type = "alert"<BR /> LOOKUP-2_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity<BR /> LOOKUP-3_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category</P> <P>[isc:bind:network]<BR /> REPORT-1_extract_field = isc_bind_network_extract_field_0<BR /> REPORT-3_extract_field = isc_bind_network_extract_field_2<BR /> EVAL-ip = CASE(match(ip, "::"), "127.0.0.1", match(ip, ".*"), ip)<BR /> LOOKUP-4_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity<BR /> LOOKUP-5_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category<BR /> LOOKUP-6_look_up_extract = isc_bind_action_lookup vendor_action OUTPUT action</P> <P>[isc:bind:transfer]<BR /> REPORT-1_extract_field = isc_bind_transfer_extract_field_0<BR /> REPORT-3_extract_field = isc_bind_transfer_extract_field_2<BR /> REPORT-5_extract_field = isc_bind_transfer_extract_field_4<BR /> REPORT-7_extract_field = isc_bind_transfer_extract_field_6<BR /> EVAL-message_type = CASE(match(vendor_action, "sending notifies|sending notify to|notify to"), "Query", match(vendor_action, "notify response from"), "Response")<BR /> EVAL-query_type = CASE(match(vendor_action, "sending notifies|sending notify to|notify to"), "Notify")<BR /> EVAL-vendor_product = "ISC:Bind"<BR /> LOOKUP-8_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity<BR /> LOOKUP-9_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category<BR /> LOOKUP-10_look_up_extract = isc_bind_action_lookup vendor_action OUTPUT action<BR /> LOOKUP-11_look_up_extract = isc_bind_reply_code_lookup response_code OUTPUT reply_code</P> <P>transforms.conf</P> <P>[isc_bind_query_extract_field_0]<BR /> REGEX = (?:\s+queries:)?(?:\s+([^:]+):)?\s+client\s+([\w-.:]{1,100})#(\d{1,5})(?:\s+([^)]+))?:(?:\s+view\s+[^:]+:)?\s+query:\s+(?([\w-.:]{1,100}))?\s+([^\s]+)\s+([^\s]+)\s+<A href="https://community.splunk.com/%5B%5Es%5D*" target="_blank">+-</A>\s+(([\w-.:]{1,100}))$<BR /> FORMAT = vendor_severity::$1 src::$2 src_port::$3 query::$4 record_class::$5 record_type::$6 flag::$7 dest::$8</P> <P>[isc_bind_queryerror_extract_field_0]<BR /> REGEX = (?:\s+query-errors:)?(?:\s+([^:]+):)?\s+client\s+([\w-.:]{1,100})#(\d{1,5}):(?:\s+view\s+[^:]+:)?\s+query\s+failed\s+(([^)]+))\s+for\s+([\w-.:]{1,100})/([^/]+)/([^\s]+)\s+at\s+([^:]+):(\d+)$<BR /> FORMAT = vendor_severity::$1 src::$2 src_port::$3 response_code::$4 query::$5 record_class::$6 record_type::$7 file_name::$8 file_location::$9</P> <P>[isc_bind_lameserver_extract_field_0]<BR /> REGEX = (?:\s+lame-servers:)?(?:\s+([^:]+):)?\s+(error\s+(([^)]+))\s+resolving\s+'([\w-.:]{1,100})/([^/]+)/([^']+)':\s+([\w-.:]{1,100})#(\d{1,5}))$<BR /> FORMAT = vendor_severity::$1 body::$2 error_type::$3 query::$4 record_type::$5 record_class::$6 dest::$7 dest_port::$8</P> <P>[isc_bind_network_extract_field_0]<BR /> REGEX = (?:\s+network:)?(?:\s+([^:]+):)?\s+(no\s+longer\s+listening\s+on)\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}|::)#(\d{1,5})$<BR /> FORMAT = vendor_severity::$1 vendor_action::$2 ip::$3 port::$4</P> <P>[isc_bind_network_extract_field_2]<BR /> REGEX = (?:\s+network:)?(?:\s+([^:]+):)?\s+(listening\s+on)\s+([^\s]+)\s+interface\s+([^,]+),\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}|::)#(\d{1,5})$<BR /> FORMAT = vendor_severity::$1 vendor_action::$2 proto::$3 interface::$4 ip::$5 port::$6</P> <P>[isc_bind_transfer_extract_field_0]<BR /> REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(sending\s+notifies)\s+(serial\s+([^)]+))$<BR /> FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 serial_number::$5</P> <P>[isc_bind_transfer_extract_field_2]<BR /> REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(sending\s+notify\s+to)\s+([\w-.:]{1,100})#(\d{1,5})$<BR /> FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 dest::$5 dest_port::$6</P> <P>[isc_bind_transfer_extract_field_4]<BR /> REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(notify\s+to)\s+([\w-.:]{1,100})#(\d{1,5})(?:[^:]<EM>:)\s+(.</EM>)$<BR /> FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 dest::$5 dest_port::$6 detail::$7</P> <P>[isc_bind_transfer_extract_field_6]<BR /> REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(notify\s+response\s+from)\s+([\w-.:]{1,100})#(\d{1,5}):\s+(.*)$<BR /> FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 src::$5 src_port::$6 response_code::$7</P> <P>[isc_bind_severities_lookup]<BR /> filename = isc_bind_severities.csv</P> <P>[isc_bind_category_lookup]<BR /> filename = isc_bind_category.csv</P> <P>[isc_bind_reply_code_lookup]<BR /> filename = isc_bind_reply_code.csv</P> <P>[isc_bind_action_lookup]<BR /> filename = isc_bind_action.csv</P> <P>Thanks in advance </P> Tue, 29 Sep 2020 19:48:01 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Defining-the-multiple-source-type-from-single-file-we-are-using/m-p/433594#M53223 sumitkathpal 2020-09-29T19:48:01Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Defining-the-multiple-source-type-from-single-file-we-are-using/m-p/433595#M53224 <P>Help required @elliotproebstel</P> Sun, 03 Jun 2018 03:12:11 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Defining-the-multiple-source-type-from-single-file-we-are-using/m-p/433595#M53224 sumitkathpal 2018-06-03T03:12:11Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Defining-the-multiple-source-type-from-single-file-we-are-using/m-p/433596#M53225 <P>Help................</P> Tue, 05 Jun 2018 11:53:47 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Defining-the-multiple-source-type-from-single-file-we-are-using/m-p/433596#M53225 sumitkathpal 2018-06-05T11:53:47Z