All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk_TA_infoblox ver 1.1.0 default props for sourcetype infoblox:dns doesn't extract expected fields on search

ACingo17
Explorer
‎11-19-2019 01:52 PM

Had infoblox syslog onboarded via syslog-ng which prepended date hostname to syslog event
On the searchhead cluster have the correct Splunk_TA_infoblox ver 1.1.0 and the props.conf/transforms.conf has a number of fields that should extract on search but nothing extracts dns_request dns_request_src dns_request_record_type

example: props.conf

[infoblox:dns]
#Reports
REPORT-dns_extract   = dns_request, dns_request_src, dns_request_record_type
REPORT-dns_extract_2 = dns_response,dns_incepted,dns_records_extract, dns_response_src,dns_response_dest, dns_response_record_type
REPORT-dns_rpz_extract = dns_rpz_cef_0
REPORT-dns_fields_1  = infoblox_dns_extract_field_0, infoblox_dns_extract_field_1, infoblox_dns_extract_field_2, infoblox_dns_extract_field_3, infoblox_dns_extract_field_4, infoblox_dns_extract_field_5,infoblox_dns_extract_field_6, infoblox_dns_extract_field_8, infoblox_dns_extract_field_9, infoblox_dns_extract_field_10
REPORT-dns_fields_2  = infoblox_dns_extract_field_11, infoblox_dns_extract_field_12, infoblox_dns_extract_field_13, infoblox_dns_extract_field_14, infoblox_dns_extract_field_15, infoblox_dns_extract_field_16, infoblox_dns_extract_field_17
REPORT-dns_rpz_fields_1 = infoblox_dns_rpz_qname_fields

example transforms.conf

[dns_request]
REGEX = client\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?\d+).*\s(?query):\s(?\S+)\s(?\w+)\s(?\w+)\s(?(?:\+|\-)\S*)\s\((?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})\)

[dns_response]
REGEX = \S+\s+(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\snamed\[(?\d+)\]\:\s(?:infoblox-responses:\s)?(?\S+)\s(?\S+)\sclient\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?\d+)?[\D]*\s(?\w+):\squery:\s(?\S+)\s(?\w+)\s(?\w+)\s(?response):\s(?\w+)\s(?\S+)\s?(?[\S+\s+]*)?

[dns_records_extract]
REGEX = (?\S+)\s(?\d+)\s(?\S+)\s(?\S+)\s(?\S+)
SOURCE_KEY = dns_record
MV_ADD = true

[dns_incepted]
REGEX = (?[^;]+)
SOURCE_KEY = dns_response_RR_in_TEXT
MV_ADD = true

[dns_request_src]
REGEX = (?.+)
SOURCE_KEY = dns_request_name_serverIP

[dns_response_src]
REGEX = (?.+)
SOURCE_KEY = dns_response_client_ip

[dns_response_dest]
REGEX = (?.+)
SOURCE_KEY = server_ip

[dns_request_record_type]
REGEX = (?.+)
SOURCE_KEY = dns_request_type_name

[dns_response_record_type]
REGEX = (?.+)
SOURCE_KEY = dns_response_type_name

example of event
Nov 19 16:18:20 INFOBLOXHOST named[18123]: 19-Nov-2019 16:18:20.992 client X.X.X.X#58840: view 2: UDP: query: client.cldomain.net IN A response: NOERROR + client.cldomain.net. 60 IN A Y.Y.Y.Y

Does anyone have any experience with this TA and do I need to do custom extractions instead of using the TA ?

Reply

nethead
Observer
‎07-01-2020 01:12 PM

I assume you are ingesting the syslog-ng delivered logs via a UF on the system?  In your monitor stanza in inputs.conf you will want to set the sourcetype to:

 

sourcetype=infoblox:file

(https://docs.splunk.com/Documentation/AddOns/released/Infoblox/Configureinputs)

 

This should correct your parsing issue.

thanks,

-pat.

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎11-22-2019 02:32 PM

I cleaned up the formatting to make this more readable.
Have you opened a support case? They are likely more able to walk you through debugging with a screen sharing session.
To clarify, you mentioned you provided example props and transforms...but those appear to be not examples, but the actual props and transforms that ship with the add on. Can you validate this assertion?

Lastly, in the example event you provided, what portions of that string should be the fields you are missing? This information will help Splunk experts who are not Infoblox/syslog experts, support your Splunk parsing challenge.

0 Karma
Reply

ACingo17
Explorer
‎11-24-2019 03:12 PM

thanks, yes the examples are from the current props and transforms directly from the Splunk Infoblox TA
that is why I find it odd that searchtime extractions don't extract.

I've read the docs multiple times and the TA is working correctly through the indexer tier and just serchtime extractions don't work.

Since this is a TA supported by Splunk I'm going to go the route of support case and realtime screen share troubleshooting

for example -- dns_response , shouldn't this look for the word response and then return what is found after the word ?

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎12-02-2019 05:02 AM

I peeked at your support case and it appears to be moving along. It looks like the [dns_request] and [dns_response] REGEX is a bit too specific about the full string and therefore not matching all items.

For posterity of the post, let us know how this gets resolved.

Good luck!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...