All Apps and Add-ons

Splunk_TA_infoblox ver 1.1.0 default props for sourcetype infoblox:dns doesn't extract expected fields on search

ACingo17
Explorer

Had infoblox syslog onboarded via syslog-ng which prepended date hostname to syslog event
On the searchhead cluster have the correct Splunk_TA_infoblox ver 1.1.0 and the props.conf/transforms.conf has a number of fields that should extract on search but nothing extracts dns_request dns_request_src dns_request_record_type

example: props.conf

[infoblox:dns]
#Reports
REPORT-dns_extract   = dns_request, dns_request_src, dns_request_record_type
REPORT-dns_extract_2 = dns_response,dns_incepted,dns_records_extract, dns_response_src,dns_response_dest, dns_response_record_type
REPORT-dns_rpz_extract = dns_rpz_cef_0
REPORT-dns_fields_1  = infoblox_dns_extract_field_0, infoblox_dns_extract_field_1, infoblox_dns_extract_field_2, infoblox_dns_extract_field_3, infoblox_dns_extract_field_4, infoblox_dns_extract_field_5,infoblox_dns_extract_field_6, infoblox_dns_extract_field_8, infoblox_dns_extract_field_9, infoblox_dns_extract_field_10
REPORT-dns_fields_2  = infoblox_dns_extract_field_11, infoblox_dns_extract_field_12, infoblox_dns_extract_field_13, infoblox_dns_extract_field_14, infoblox_dns_extract_field_15, infoblox_dns_extract_field_16, infoblox_dns_extract_field_17
REPORT-dns_rpz_fields_1 = infoblox_dns_rpz_qname_fields

example transforms.conf

[dns_request]
REGEX = client\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?\d+).*\s(?query):\s(?\S+)\s(?\w+)\s(?\w+)\s(?(?:\+|\-)\S*)\s\((?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})\)

[dns_response]
REGEX = \S+\s+(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\snamed\[(?\d+)\]\:\s(?:infoblox-responses:\s)?(?\S+)\s(?\S+)\sclient\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?\d+)?[\D]*\s(?\w+):\squery:\s(?\S+)\s(?\w+)\s(?\w+)\s(?response):\s(?\w+)\s(?\S+)\s?(?[\S+\s+]*)?

[dns_records_extract]
REGEX = (?\S+)\s(?\d+)\s(?\S+)\s(?\S+)\s(?\S+)
SOURCE_KEY = dns_record
MV_ADD = true

[dns_incepted]
REGEX = (?[^;]+)
SOURCE_KEY = dns_response_RR_in_TEXT
MV_ADD = true

[dns_request_src]
REGEX = (?.+)
SOURCE_KEY = dns_request_name_serverIP

[dns_response_src]
REGEX = (?.+)
SOURCE_KEY = dns_response_client_ip

[dns_response_dest]
REGEX = (?.+)
SOURCE_KEY = server_ip

[dns_request_record_type]
REGEX = (?.+)
SOURCE_KEY = dns_request_type_name

[dns_response_record_type]
REGEX = (?.+)
SOURCE_KEY = dns_response_type_name

example of event
Nov 19 16:18:20 INFOBLOXHOST named[18123]: 19-Nov-2019 16:18:20.992 client X.X.X.X#58840: view 2: UDP: query: client.cldomain.net IN A response: NOERROR + client.cldomain.net. 60 IN A Y.Y.Y.Y

Does anyone have any experience with this TA and do I need to do custom extractions instead of using the TA ?

nethead
Observer

I assume you are ingesting the syslog-ng delivered logs via a UF on the system?  In your monitor stanza in inputs.conf you will want to set the sourcetype to:

 

sourcetype=infoblox:file

(https://docs.splunk.com/Documentation/AddOns/released/Infoblox/Configureinputs)

 

This should correct your parsing issue.

thanks,

-pat.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

I cleaned up the formatting to make this more readable.
Have you opened a support case? They are likely more able to walk you through debugging with a screen sharing session.
To clarify, you mentioned you provided example props and transforms...but those appear to be not examples, but the actual props and transforms that ship with the add on. Can you validate this assertion?

Lastly, in the example event you provided, what portions of that string should be the fields you are missing? This information will help Splunk experts who are not Infoblox/syslog experts, support your Splunk parsing challenge.

0 Karma

ACingo17
Explorer

thanks, yes the examples are from the current props and transforms directly from the Splunk Infoblox TA
that is why I find it odd that searchtime extractions don't extract.

I've read the docs multiple times and the TA is working correctly through the indexer tier and just serchtime extractions don't work.

Since this is a TA supported by Splunk I'm going to go the route of support case and realtime screen share troubleshooting

for example -- dns_response , shouldn't this look for the word response and then return what is found after the word ?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

I peeked at your support case and it appears to be moving along. It looks like the [dns_request] and [dns_response] REGEX is a bit too specific about the full string and therefore not matching all items.

For posterity of the post, let us know how this gets resolved.

Good luck!

0 Karma

PavithraSarvin
Loves-to-Learn Lots

Is there a solution in place for this issue? Iam facing same issue.

0 Karma

DanielPi
Moderator
Moderator

Hi @PavithraSarvin,

I’m a Community Moderator in the Splunk Community.

This question was posted 5 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.

Thank you! 

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...