topic Unable to parse dns windows logs in splunk in Getting Data In

Unable to parse dns windows logs in splunk

OMohi — Sat, 31 Oct 2015 17:19:38 GMT

I am unable to parse windows logs in splunk. My raw event contains 2)35(2)48(3)199(3)157(7)in-addr(4)arpa(0). I want to remove the () for the domain name.

I tried to configure the following in props.conf on the indexers and restarted them but no luck:

[DNS]
MAX_TIMESTAMP_LOOKAHEAD=128
TRUNCATE=20000
DATETIME_CONFIG=CURRENT
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
disabled=false
SEDCMD-win_dns = s/\(\d+\)/./g

Any assistance in troubleshooting this issue is greatly appreciated.

Thanks,
Mohammed Mohiuddin

Re: Unable to parse dns windows logs in splunk

jkat54 — Sat, 31 Oct 2015 19:36:14 GMT

Try using

\d

instead of d, also escape the ( & ) else you're forming a capture group

SEDCMD-win_dns = s/\(\d+\)/./g

Re: Unable to parse dns windows logs in splunk

martin_mueller — Sat, 31 Oct 2015 22:23:22 GMT

The backslashes in the question were lost in formatting, I've fixed them.

Re: Unable to parse dns windows logs in splunk

jkat54 — Sun, 01 Nov 2015 02:31:31 GMT

sedcmd only happens at index time.  Can you confirm you're not using a heavy forwarder to send the data in?

Also, you may want to try using rex to get the regular expression right first, and then move it to a sedcmd

search .... | rex field=fieldname mode=sec "s/\(\d+\)/./g" | table fieldname

I'm thinking you may need a \ in front of the . as well  Especially in windows as the windows regex is funny at times.

Re: Unable to parse dns windows logs in splunk

OMohi — Tue, 29 Sep 2020 07:44:37 GMT

Yes I am not using heavy forwarder. The logs are collected on universal forwarder and send to the indexer for parsing.

I am able to use the following query in search time, and hence tried to make this permanent by copying it in props.conf

THe following is the query I am trying to execute:

index=dns | rex mode=sed "s/(\d+)/./g"

and I am getting the domain name without the () brackets.

But unable to copy the same in props.conf and get similar results:
[DNS]
MAX_TIMESTAMP_LOOKAHEAD=128
TRUNCATE=20000
DATETIME_CONFIG=CURRENT
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
disabled=false
SEDCMD-win_dns = s/(\d+)/./g

Re: Unable to parse dns windows logs in splunk

martin_mueller — Sun, 01 Nov 2015 17:15:59 GMT

In current versions of Splunk, a lot of the Windows event log parsing happens on Universal Forwarders as well - do deploy that props.conf to your forwarder and see if it correctly changes newly indexed events from then on.

Re: Unable to parse dns windows logs in splunk

jkat54 — Mon, 02 Nov 2015 21:58:34 GMT

Interesting... good to know too!

Re: Unable to parse dns windows logs in splunk

OMohi — Tue, 03 Nov 2015 19:24:23 GMT

Yes I have made the props entry on the UF's as well and restarted, but still no luck.

Thanks

Re: Unable to parse dns windows logs in splunk

jkat54 — Wed, 04 Nov 2015 15:40:53 GMT

Try this:

s/((\d+))/./g

and this

s/\((\d+)\)/./g

We should check the docs to see what regex style windows uses, escape characters etc...

I like to change config and restart many times...

Re: Unable to parse dns windows logs in splunk

jkat54 — Wed, 04 Nov 2015 15:43:15 GMT

maybe this too:

s/\(\(\d+\)\)/./g

go crazy... you'll find it and post it back as the answer please ;-)

Re: Unable to parse dns windows logs in splunk

spayneort — Sat, 07 Nov 2015 06:28:09 GMT

This is what I use:

[MSAD:NT6:DNS]
SEDCMD-win_dns-first = s/\(\d+\)/./g
SEDCMD-win_dns-second = s/\s\.(.*)\.$/ \1/g

Re: Unable to parse dns windows logs in splunk

woodcock — Sat, 07 Nov 2015 14:28:07 GMT

You should be able to chain those together like this:

[MSAD:NT6:DNS]
SEDCMD-win_dns = s/\(\d+\)/./g s/\s\.(.*)\.$/ \1/g

Re: Unable to parse dns windows logs in splunk

aswin_asok — Fri, 20 Nov 2020 15:34:43 GMT

Hi,

In addition to the query like this (2)35(2)48(3)199(3)157(7)in-addr(4)arpa(0), the logs are followed by UDP Response and many lines..

Ex.

] A (2)35(2)48(3)199(3)157(7)in-addr(4)arpa(0)

UDP Response......

When I used - SEDCMD-win_dns = s/$\d+$/./g s/\s\.(.*)\.$/ \1/g

the log is formatted as ] A .35.48.199.157.in-addr.arpa.

There is a 'dot' at the end. Can you please advise on how to remove the trailing dot alone