All Apps and Add-ons

Splunk_TA_infoblox ver 1.1.0 default props for sourcetype infoblox:dns doesn't extract expected fields on search


Had infoblox syslog onboarded via syslog-ng which prepended date hostname to syslog event
On the searchhead cluster have the correct Splunk_TA_infoblox ver 1.1.0 and the props.conf/transforms.conf has a number of fields that should extract on search but nothing extracts dns_request dns_request_src dns_request_record_type

example: props.conf

REPORT-dns_extract   = dns_request, dns_request_src, dns_request_record_type
REPORT-dns_extract_2 = dns_response,dns_incepted,dns_records_extract, dns_response_src,dns_response_dest, dns_response_record_type
REPORT-dns_rpz_extract = dns_rpz_cef_0
REPORT-dns_fields_1  = infoblox_dns_extract_field_0, infoblox_dns_extract_field_1, infoblox_dns_extract_field_2, infoblox_dns_extract_field_3, infoblox_dns_extract_field_4, infoblox_dns_extract_field_5,infoblox_dns_extract_field_6, infoblox_dns_extract_field_8, infoblox_dns_extract_field_9, infoblox_dns_extract_field_10
REPORT-dns_fields_2  = infoblox_dns_extract_field_11, infoblox_dns_extract_field_12, infoblox_dns_extract_field_13, infoblox_dns_extract_field_14, infoblox_dns_extract_field_15, infoblox_dns_extract_field_16, infoblox_dns_extract_field_17
REPORT-dns_rpz_fields_1 = infoblox_dns_rpz_qname_fields

example transforms.conf

REGEX = client\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?\d+).*\s(?query):\s(?\S+)\s(?\w+)\s(?\w+)\s(?(?:\+|\-)\S*)\s\((?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})\)

REGEX = \S+\s+(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\snamed\[(?\d+)\]\:\s(?:infoblox-responses:\s)?(?\S+)\s(?\S+)\sclient\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?\d+)?[\D]*\s(?\w+):\squery:\s(?\S+)\s(?\w+)\s(?\w+)\s(?response):\s(?\w+)\s(?\S+)\s?(?[\S+\s+]*)?

REGEX = (?\S+)\s(?\d+)\s(?\S+)\s(?\S+)\s(?\S+)
SOURCE_KEY = dns_record
MV_ADD = true

REGEX = (?[^;]+)
SOURCE_KEY = dns_response_RR_in_TEXT
MV_ADD = true

REGEX = (?.+)
SOURCE_KEY = dns_request_name_serverIP

REGEX = (?.+)
SOURCE_KEY = dns_response_client_ip

REGEX = (?.+)
SOURCE_KEY = server_ip

REGEX = (?.+)
SOURCE_KEY = dns_request_type_name

REGEX = (?.+)
SOURCE_KEY = dns_response_type_name

example of event
Nov 19 16:18:20 INFOBLOXHOST named[18123]: 19-Nov-2019 16:18:20.992 client X.X.X.X#58840: view 2: UDP: query: IN A response: NOERROR + 60 IN A Y.Y.Y.Y

Does anyone have any experience with this TA and do I need to do custom extractions instead of using the TA ?


I assume you are ingesting the syslog-ng delivered logs via a UF on the system?  In your monitor stanza in inputs.conf you will want to set the sourcetype to:





This should correct your parsing issue.



0 Karma

Splunk Employee
Splunk Employee

I cleaned up the formatting to make this more readable.
Have you opened a support case? They are likely more able to walk you through debugging with a screen sharing session.
To clarify, you mentioned you provided example props and transforms...but those appear to be not examples, but the actual props and transforms that ship with the add on. Can you validate this assertion?

Lastly, in the example event you provided, what portions of that string should be the fields you are missing? This information will help Splunk experts who are not Infoblox/syslog experts, support your Splunk parsing challenge.

0 Karma


thanks, yes the examples are from the current props and transforms directly from the Splunk Infoblox TA
that is why I find it odd that searchtime extractions don't extract.

I've read the docs multiple times and the TA is working correctly through the indexer tier and just serchtime extractions don't work.

Since this is a TA supported by Splunk I'm going to go the route of support case and realtime screen share troubleshooting

for example -- dns_response , shouldn't this look for the word response and then return what is found after the word ?

0 Karma

Splunk Employee
Splunk Employee

I peeked at your support case and it appears to be moving along. It looks like the [dns_request] and [dns_response] REGEX is a bit too specific about the full string and therefore not matching all items.

For posterity of the post, let us know how this gets resolved.

Good luck!

0 Karma
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...