Failing to extract to multivalue field with props.conf and transforms.conf

nkleck — Tue, 29 Sep 2020 22:33:45 GMT

Im not sure why I am not extracting into multivalue fields. It's only extracting the last matching group. I think its my regex. In splunk the answer_rdata is not a mv field, but contains the last value from the ANSWER SECTION

props.conf

[pfsense:unbound]
REPORT-unbound-mvfields = unbound_answer_section

transforms.conf

[unbound_answer_section]
REGEX = (?:ANSWER\sSECTION:\s(?:(?<answer_name>\S+)#011(?<answer_ttl>\S+)#011(?<answer_class>\S+)#011(?<answer_type>\S+)#011(?<answer_rdata>\S+)\s)+\s\;\;)
MV_ADD=true

Below is an example of the log entries. Id like to extract all the data in the ANSWERS SECTION into mv fields: answer_name, answer_ttl, answer_class, answer_type, and answer_rdata.

2019-01-02T17:34:19-05:00 10.10.30.1 unbound: [48511:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0  ;; QUESTION SECTION: gs-loc.ls-apple.com.akadns.net.#011IN#011A  ;; ANSWER SECTION: gs-loc.ls-apple.com.akadns.net.#01135#011IN#011A#01117.142.171.4 gs-loc.ls-apple.com.akadns.net.#01135#011IN#011A#01117.142.171.8 gs-loc.ls-apple.com.akadns.net.#01135#011IN#011A#01117.142.171.9  ;; AUTHORITY SECTION:  ;; ADDITIONAL SECTION: ;; MSG SIZE  rcvd: 96

2019-01-02T17:34:42-05:00 10.10.30.1 unbound: [48511:0] info: cname msg ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0  ;; QUESTION SECTION: init-p01md.apple.com.#011IN#011A  ;; ANSWER SECTION: init-p01md.apple.com.#0119665#011IN#011CNAME#011init-p01md-lb.push-apple.com.akadns.net.  ;; AUTHORITY SECTION:  ;; ADDITIONAL SECTION: ;; MSG SIZE  rcvd: 91

2019-01-02T18:52:01-05:00 10.10.30.1 unbound: [48511:0] info: msg from cache lookup ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 0  ;; QUESTION SECTION: amazonaws.com.#011IN#011DS  ;; ANSWER SECTION:  ;; AUTHORITY SECTION: xxxxxxxxxxxxxxxxxx.#01181254#011IN#011NSEC3#0111 1 0 - xxxxxxxxxxxxxxxxxxNS SOA RRSIG DNSKEY NSEC3PARAM ;{flags: optout} xxxxxxxxxxxxxxxxxx.com.#01181254#011IN#011RRSIG#011NSEC3 8 2 86400 20190107054258 20181231043258 37490 com. xxxxxxxxxxxxxxxxxx/2/xxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxx= ;{id = 37490} com.#011884#011IN#011SOA#011a.gtld-servers.net. nstld.verisign-grs.com. 1546473084 1800 900 604800 86400 com.#011884#011IN#011RRSIG#011SOA 8 1 900 20190109235124 20190102224124 37490 com. xxxxxxxxxxxxxxxxxx+xxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxx

Re: Failing to extract to multivalue field with props.conf and transforms.conf

p_gurav — Thu, 03 Jan 2019 03:59:44 GMT

Hi,

This may help :
https://docs.splunk.com/Documentation/Splunk/7.2.3/Knowledge/ConfigureSplunktoparsemulti-valuefields

Try using fields.conf with TOKENIZER as below:

[answer_domain]
TOKENIZER = (ANSWER SECTION):\s+(?P<domain>[^#]+)

[answer_ip]
TOKENIZER = #01(?P<answer_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

topic Re: Failing to extract to multivalue field with props.conf and transforms.conf in Splunk Search

Failing to extract to multivalue field with props.conf and transforms.conf

Re: Failing to extract to multivalue field with props.conf and transforms.conf