https://community.splunk.com/t5/Getting-Data-In/SEDCMD-help-with-Windows-DNS-logs/m-p/94452#M19650 <P>I am trying to use the SEDCMD when indexing Windows DNS logs as described in this solution:<BR /> <A href="http://splunk-base.splunk.com/answers/4546/field-extraction-regex-fu-help">http://splunk-base.splunk.com/answers/4546/field-extraction-regex-fu-help</A> In a nutshell the Windows DNS logs have the domain name being queried in this format: (6)images(6)google(3)com(0) and I need them in this format images.google.com</P> <P>I added these items to my props.conf in /opt/splunk/etc/system/local:</P> <P>[source::/home/dnsuser/Downloads/dns1.log]<BR /> sourcetype = windns</P> <P>[windns]<BR /> SEDCMD-domainname = s/(\(\d\))/./g</P> <P>Then I restarted Splunk, created a new index called DNS and a new data input for the file /home/dnsuser/Downloads/dns1.log. In the data input I manually specified windns as the source type. The data is in there and my field extractions specified in transforms.conf are working fine as I can see them by specifying either index=dns or sourcetype=windns. </P> <P>The domain name is extracted to a field called dns_query. When I view that field in the search results the domain name has not been modified by the SEDCMD. I know the syntax of the SEDCMD is correct because I can use it this way and the domain names are in the proper format:</P> <P>index=dns | rex "((?<DNS_QUERY>(\w+((\d))){1,}?)$)" | rex mode=sed field=dns_query "s/(\(\d\))/./g"</DNS_QUERY></P> <P>Any help would be appreciated.</P> Wed, 19 Oct 2011 13:38:05 GMT chemc 2011-10-19T13:38:05Z https://community.splunk.com/t5/Getting-Data-In/SEDCMD-help-with-Windows-DNS-logs/m-p/94452#M19650 <P>I am trying to use the SEDCMD when indexing Windows DNS logs as described in this solution:<BR /> <A href="http://splunk-base.splunk.com/answers/4546/field-extraction-regex-fu-help">http://splunk-base.splunk.com/answers/4546/field-extraction-regex-fu-help</A> In a nutshell the Windows DNS logs have the domain name being queried in this format: (6)images(6)google(3)com(0) and I need them in this format images.google.com</P> <P>I added these items to my props.conf in /opt/splunk/etc/system/local:</P> <P>[source::/home/dnsuser/Downloads/dns1.log]<BR /> sourcetype = windns</P> <P>[windns]<BR /> SEDCMD-domainname = s/(\(\d\))/./g</P> <P>Then I restarted Splunk, created a new index called DNS and a new data input for the file /home/dnsuser/Downloads/dns1.log. In the data input I manually specified windns as the source type. The data is in there and my field extractions specified in transforms.conf are working fine as I can see them by specifying either index=dns or sourcetype=windns. </P> <P>The domain name is extracted to a field called dns_query. When I view that field in the search results the domain name has not been modified by the SEDCMD. I know the syntax of the SEDCMD is correct because I can use it this way and the domain names are in the proper format:</P> <P>index=dns | rex "((?<DNS_QUERY>(\w+((\d))){1,}?)$)" | rex mode=sed field=dns_query "s/(\(\d\))/./g"</DNS_QUERY></P> <P>Any help would be appreciated.</P> Wed, 19 Oct 2011 13:38:05 GMT https://community.splunk.com/t5/Getting-Data-In/SEDCMD-help-with-Windows-DNS-logs/m-p/94452#M19650 chemc 2011-10-19T13:38:05Z https://community.splunk.com/t5/Getting-Data-In/SEDCMD-help-with-Windows-DNS-logs/m-p/94453#M19651 <P>I am having the same issue. On the Universal forwarder (Windows host) I have configured the following in $SPLUNK_HOME/etc/system/local/props.conf:</P> <P>[sourcetype::DNSSrvLog]<BR /> SEDCMD-dns_name = s/((\(\d+\))/./g</P> <P>and logs appeared not changed on the indexer</P> <P>I tried different REGEXes. The one above. The ones below:</P> <P>s/(\(\d+\))/./g</P> <P>s/(\(\d+\))/./g</P> <P>s/\(\d+\)/./g</P> <P>s/(\d+)/./g</P> <P>None of that worked. Any assistance will be appreciated.</P> Tue, 07 Feb 2012 19:02:41 GMT https://community.splunk.com/t5/Getting-Data-In/SEDCMD-help-with-Windows-DNS-logs/m-p/94453#M19651 ageld 2012-02-07T19:02:41Z https://community.splunk.com/t5/Getting-Data-In/SEDCMD-help-with-Windows-DNS-logs/m-p/94454#M19652 <P>If you're using a LightForwarder or Universal Forwarder the SEDCMD configuration needs to exist on the indexer(s) which actually performs the parsing work. </P> Tue, 12 Jun 2012 17:24:01 GMT https://community.splunk.com/t5/Getting-Data-In/SEDCMD-help-with-Windows-DNS-logs/m-p/94454#M19652 the_wolverine 2012-06-12T17:24:01Z https://community.splunk.com/t5/Getting-Data-In/SEDCMD-help-with-Windows-DNS-logs/m-p/94455#M19653 <P>SEDCMD doesn't work on the UF</P> Mon, 19 Mar 2018 20:56:00 GMT https://community.splunk.com/t5/Getting-Data-In/SEDCMD-help-with-Windows-DNS-logs/m-p/94455#M19653 landen99 2018-03-19T20:56:00Z https://community.splunk.com/t5/Getting-Data-In/SEDCMD-help-with-Windows-DNS-logs/m-p/94456#M19654 <PRE><CODE>SEDCMD-domainname = s/(\(\d+\))/./g </CODE></PRE> <P>You had an extra "\" and needed an extra "+"</P> Mon, 19 Mar 2018 21:12:46 GMT https://community.splunk.com/t5/Getting-Data-In/SEDCMD-help-with-Windows-DNS-logs/m-p/94456#M19654 landen99 2018-03-19T21:12:46Z