<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Parsing DNS logs sent from EpiLog agent in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Parsing-DNS-logs-sent-from-EpiLog-agent/m-p/580848#M102439</link>
    <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/49493"&gt;@tscroggins&lt;/a&gt;&amp;nbsp;I tried the above and but it made the events splitting worse. The best performance I've gotten so far is with the corrected time format like you posted and your suggested TIME_PREFIX, but otherwise the parameters in the stanza being the same as in my original post.&lt;/P&gt;</description>
    <pubDate>Wed, 12 Jan 2022 19:49:21 GMT</pubDate>
    <dc:creator>Dmikos1271</dc:creator>
    <dc:date>2022-01-12T19:49:21Z</dc:date>
    <item>
      <title>Parsing DNS logs sent from EpiLog agent</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Parsing-DNS-logs-sent-from-EpiLog-agent/m-p/579635#M102318</link>
      <description>&lt;P&gt;Our DNS logs are sent via syslog to a HF through an Epilog agent. The EpiLog agent reads the dns log file line by line and each line is sent as a separate event to the HF,&amp;nbsp; looking something like this:&lt;/P&gt;&lt;P&gt;&lt;EM&gt;Dec 24 04:05:11 192.####### MSDNSLog 0 12/24/2021 12:02:06 AM 04B4 PACKET 000000####### UDP Rcv 142.####### 3f94 R Q [8281 DR SERVFAIL] PTR (2)87in-addr(4)arpa(0)&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.####### MSDNSLog 0 UDP response info at 000000EE456861F0&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.####### MSDNSLog 0 Socket = 1244&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.####### MSDNSLog 0 Remote addr 142.1#######, port 53&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.#######MSDNSLog 0 Time Query=1220313, Queued=0, Expire=0&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.####### MSDNSLog 0 Buf length = 0x0fa0 (4000)&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.####### MSDNSLog 0 Msg length = 0x0037 (55)&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.####### MSDNSLog 0 Message:&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.####### MSDNSLog 0 XID 0x3f94&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.####### MSDNSLog 0 Flags 0x8182&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.####### MSDNSLog 0 QR 1 (RESPONSE)&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.####### MSDNSLog 0 OPCODE 0 (QUERY)&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.####### MSDNSLog 0 AA 0&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.####### MSDNSLog 0 TC 0&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.####### MSDNSLog 0 RD 1&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.####### MSDNSLog 0 RA 1&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.####### MSDNSLog 0 Z 0&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.####### MSDNSLog 0 CD 0&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.####### MSDNSLog 0 AD 0&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.#######MSDNSLog 0 RCODE 2 (SERVFAIL)&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.####### MSDNSLog 0 QCOUNT 1&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.1####### MSDNSLog 0 ACOUNT 0&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.#######&amp;nbsp; MSDNSLog 0 NSCOUNT 0&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.1###### MSDNSLog 0 ARCOUNT 1&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.1##### MSDNSLog 0 QUESTION SECTION:&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;Dec 24 04:05:11 192.1##### MSDNSLog 0 Offset = 0x000c, RR count = 0&lt;/EM&gt;&lt;/P&gt;&lt;P&gt;So originally each of those lines was indexed as a separate event in Splunk. I played around with the props.conf file for that specific sourcetype and set&amp;nbsp; the parameters as follows:&lt;/P&gt;&lt;P&gt;&lt;EM&gt;SHOULD_LINEMERGE=TRUE&lt;/EM&gt;&lt;/P&gt;&lt;P&gt;&lt;EM&gt;TIME_PREFIX&lt;/EM&gt; to match&amp;nbsp;&lt;EM&gt;Dec 24 04:05:11 192.###### MSDNSLog 0&lt;/EM&gt;&lt;/P&gt;&lt;P&gt;&lt;EM&gt;TIME_FORMAT=%m/%d/%Y %l:%M:%S %p&lt;/EM&gt;&lt;/P&gt;&lt;P&gt;&lt;EM&gt;BREAK_ONLY_BEFORE=PACKET&lt;/EM&gt; (Every event starts with a line that contains packet)&lt;/P&gt;&lt;P&gt;&lt;EM&gt;LINE_BREAKER = ([\r\n]+)&lt;/EM&gt;&lt;/P&gt;&lt;P&gt;&lt;EM&gt;TRUNCATE=0&lt;/EM&gt;&lt;/P&gt;&lt;P&gt;&lt;EM&gt;MAX_EVENTS=500000&lt;/EM&gt; (I've seen some&amp;nbsp; events be very long)&lt;/P&gt;&lt;P&gt;&lt;EM&gt;MAX_TIMESTAMP_LOOKAHEAD=100&lt;/EM&gt;&lt;/P&gt;&lt;P&gt;&lt;EM&gt;SEDCMD-null = regex to get rid of&amp;nbsp;&amp;nbsp;Dec 24 04:05:11 192.####### MSDNSLog 0 at the beginning of every line&lt;/EM&gt;&lt;/P&gt;&lt;P&gt;Based on my understanding (and I played around with Add Data on a searchhead and the above parameters, where it works), the following should happen: The lines are broken on each new line, then they are merged, with each new event being formed when a line has PACKET in it, timestamp is extracted and then the MSDNSLOG stuff at the beginning of each line is removed.&amp;nbsp;&lt;/P&gt;&lt;P&gt;However, I'm not seeing the timestamp being extracted properly and some (not all)of the DNS events get split like below into separate events:&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dmikos1271_0-1640901125251.png" style="width: 400px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/17378iF02F99336BD59DEF/image-size/medium?v=v2&amp;amp;px=400" role="button" title="Dmikos1271_0-1640901125251.png" alt="Dmikos1271_0-1640901125251.png" /&gt;&lt;/span&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dmikos1271_1-1640901137015.png" style="width: 400px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/17379i4B7A6861B8A11AD0/image-size/medium?v=v2&amp;amp;px=400" role="button" title="Dmikos1271_1-1640901137015.png" alt="Dmikos1271_1-1640901137015.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;What could I be missing to get all events merged correctly? Please keep in mind that using sysmon/network tap/stream is not an option at the moment so I stuck with trying to the data ingested properly using the conf files.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 30 Dec 2021 21:55:55 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Parsing-DNS-logs-sent-from-EpiLog-agent/m-p/579635#M102318</guid>
      <dc:creator>Dmikos1271</dc:creator>
      <dc:date>2021-12-30T21:55:55Z</dc:date>
    </item>
    <item>
      <title>Re: Parsing DNS logs sent from EpiLog agent</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Parsing-DNS-logs-sent-from-EpiLog-agent/m-p/579735#M102325</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241835"&gt;@Dmikos1271&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Rather than using line merging, let's disable line merging and configure line breaking directly:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="javascript"&gt;# replace with your source, source type, etc.
[source::udp:514]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n])+\w{3} \d{2} \d{2}:\d{2}:\d{2} \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} MSDNSLog 0 \d{2}\/\d{2}\/\d{4} \d{2}:\d{2}:\d{2} (A|P)M
# trailing space after 0!
TIME_PREFIX = MSDNSLog 0 
MAX_TIMESTAMP_LOOKAHEAD = 23
TIME_FORMAT = %m/%d/%Y %I:%M:%S %p
#TZ = &amp;lt;time zone&amp;gt;&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;This is a "best practice," although actual best practices depend on context.&lt;/P&gt;&lt;P&gt;The LINE_BREAKER value matches all lines with timestamps and IPv4 addresses containing the timestamp you want to extract. This the beginning of the event. The next time the regular expression matches, a new event will be created. All lines between the matches will be added to the current event.&lt;/P&gt;&lt;P&gt;Note the trailing space after the 0 in TIME_PREFIX.&lt;/P&gt;&lt;P&gt;I've assumed a 12-hour clock from your example. Be sure to set the TZ value&amp;nbsp;(see&amp;nbsp;&lt;A href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones" target="_blank" rel="noopener"&gt;https://en.wikipedia.org/wiki/List_of_tz_database_time_zones&lt;/A&gt;) if the event time zone differs from the time zone of your Splunk instance.&lt;/P&gt;</description>
      <pubDate>Sun, 02 Jan 2022 18:17:30 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Parsing-DNS-logs-sent-from-EpiLog-agent/m-p/579735#M102325</guid>
      <dc:creator>tscroggins</dc:creator>
      <dc:date>2022-01-02T18:17:30Z</dc:date>
    </item>
    <item>
      <title>Re: Parsing DNS logs sent from EpiLog agent</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Parsing-DNS-logs-sent-from-EpiLog-agent/m-p/580848#M102439</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/49493"&gt;@tscroggins&lt;/a&gt;&amp;nbsp;I tried the above and but it made the events splitting worse. The best performance I've gotten so far is with the corrected time format like you posted and your suggested TIME_PREFIX, but otherwise the parameters in the stanza being the same as in my original post.&lt;/P&gt;</description>
      <pubDate>Wed, 12 Jan 2022 19:49:21 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Parsing-DNS-logs-sent-from-EpiLog-agent/m-p/580848#M102439</guid>
      <dc:creator>Dmikos1271</dc:creator>
      <dc:date>2022-01-12T19:49:21Z</dc:date>
    </item>
  </channel>
</rss>

