Hi All,

As per Splunk Add-on for ISC BIND dns query and dns errors logs should be in different file however we have single file which has query and error logs together .

Issue is what sourcetype should we define so that sourcetype are tagged based on the query or error logs.

Current scenario :
query logs and error logs are written into single file . Let's say dns.logs

Now in input.conf on Heavy Forwader

[monitor:///opt/syslog-data/dnsserver/dns.log]
host_regex = .\/(.)\/\d\d\d\d-\d\d-\d\d.log
sourcetype = [what sourcetype should i define here ]

props.conf

[isc:bind:query]
REPORT-1_extract_field = isc_bind_query_extract_field_0
EVAL-message_type = "Query"
EVAL-query_type = "Query"
EVAL-vendor_product = "ISC:Bind"
LOOKUP-2_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity
LOOKUP-3_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category

[isc:bind:queryerror]
REPORT-1_extract_field = isc_bind_queryerror_extract_field_0
EVAL-message_type = "Response"
EVAL-vendor_product = "ISC:Bind"
LOOKUP-2_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity
LOOKUP-3_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category
LOOKUP-4_look_up_extract = isc_bind_reply_code_lookup response_code OUTPUT reply_code

[isc:bind:lameserver]
REPORT-1_extract_field = isc_bind_lameserver_extract_field_0
EVAL-app = "ISC:Bind"
EVAL-type = "alert"
LOOKUP-2_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity
LOOKUP-3_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category

[isc:bind:network]
REPORT-1_extract_field = isc_bind_network_extract_field_0
REPORT-3_extract_field = isc_bind_network_extract_field_2
EVAL-ip = CASE(match(ip, "::"), "127.0.0.1", match(ip, ".*"), ip)
LOOKUP-4_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity
LOOKUP-5_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category
LOOKUP-6_look_up_extract = isc_bind_action_lookup vendor_action OUTPUT action

[isc:bind:transfer]
REPORT-1_extract_field = isc_bind_transfer_extract_field_0
REPORT-3_extract_field = isc_bind_transfer_extract_field_2
REPORT-5_extract_field = isc_bind_transfer_extract_field_4
REPORT-7_extract_field = isc_bind_transfer_extract_field_6
EVAL-message_type = CASE(match(vendor_action, "sending notifies|sending notify to|notify to"), "Query", match(vendor_action, "notify response from"), "Response")
EVAL-query_type = CASE(match(vendor_action, "sending notifies|sending notify to|notify to"), "Notify")
EVAL-vendor_product = "ISC:Bind"
LOOKUP-8_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity
LOOKUP-9_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category
LOOKUP-10_look_up_extract = isc_bind_action_lookup vendor_action OUTPUT action
LOOKUP-11_look_up_extract = isc_bind_reply_code_lookup response_code OUTPUT reply_code

transforms.conf

[isc_bind_query_extract_field_0]
REGEX = (?:\s+queries:)?(?:\s+([^:]+):)?\s+client\s+([\w-.:]{1,100})#(\d{1,5})(?:\s+([^)]+))?:(?:\s+view\s+[^:]+:)?\s+query:\s+(?([\w-.:]{1,100}))?\s+([^\s]+)\s+([^\s]+)\s++-\s+(([\w-.:]{1,100}))$
FORMAT = vendor_severity::$1 src::$2 src_port::$3 query::$4 record_class::$5 record_type::$6 flag::$7 dest::$8

[isc_bind_queryerror_extract_field_0]
REGEX = (?:\s+query-errors:)?(?:\s+([^:]+):)?\s+client\s+([\w-.:]{1,100})#(\d{1,5}):(?:\s+view\s+[^:]+:)?\s+query\s+failed\s+(([^)]+))\s+for\s+([\w-.:]{1,100})/([^/]+)/([^\s]+)\s+at\s+([^:]+):(\d+)$
FORMAT = vendor_severity::$1 src::$2 src_port::$3 response_code::$4 query::$5 record_class::$6 record_type::$7 file_name::$8 file_location::$9

[isc_bind_lameserver_extract_field_0]
REGEX = (?:\s+lame-servers:)?(?:\s+([^:]+):)?\s+(error\s+(([^)]+))\s+resolving\s+'([\w-.:]{1,100})/([^/]+)/([^']+)':\s+([\w-.:]{1,100})#(\d{1,5}))$
FORMAT = vendor_severity::$1 body::$2 error_type::$3 query::$4 record_type::$5 record_class::$6 dest::$7 dest_port::$8

[isc_bind_network_extract_field_0]
REGEX = (?:\s+network:)?(?:\s+([^:]+):)?\s+(no\s+longer\s+listening\s+on)\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}|::)#(\d{1,5})$
FORMAT = vendor_severity::$1 vendor_action::$2 ip::$3 port::$4

[isc_bind_network_extract_field_2]
REGEX = (?:\s+network:)?(?:\s+([^:]+):)?\s+(listening\s+on)\s+([^\s]+)\s+interface\s+([^,]+),\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}|::)#(\d{1,5})$
FORMAT = vendor_severity::$1 vendor_action::$2 proto::$3 interface::$4 ip::$5 port::$6

[isc_bind_transfer_extract_field_0]
REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(sending\s+notifies)\s+(serial\s+([^)]+))$
FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 serial_number::$5

[isc_bind_transfer_extract_field_2]
REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(sending\s+notify\s+to)\s+([\w-.:]{1,100})#(\d{1,5})$
FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 dest::$5 dest_port::$6

[isc_bind_transfer_extract_field_4]
REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(notify\s+to)\s+([\w-.:]{1,100})#(\d{1,5})(?:[^:]:)\s+(.)$
FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 dest::$5 dest_port::$6 detail::$7

[isc_bind_transfer_extract_field_6]
REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(notify\s+response\s+from)\s+([\w-.:]{1,100})#(\d{1,5}):\s+(.*)$
FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 src::$5 src_port::$6 response_code::$7

[isc_bind_severities_lookup]
filename = isc_bind_severities.csv

[isc_bind_category_lookup]
filename = isc_bind_category.csv

[isc_bind_reply_code_lookup]
filename = isc_bind_reply_code.csv

[isc_bind_action_lookup]
filename = isc_bind_action.csv

Thanks in advance