All Apps and Add-ons

Why does the Splunk Add-on for Infoblox not always parse the record_type field correctly?


In the Splunk Add-on for Infoblox, the record_type field does not always parse correctly--especially instances in which there RRSIG records returned. Here is an instance where the parsing works fine.




Apr 21 08:41:27 named[10396]: 21-Apr-2021 08:41:27.792 client UDP: query: IN A response: NOERROR + 2064 IN CNAME; 6 IN CNAME; 3 IN A;

record_type = CNAME record_type = CNAME record_type = A


Infoblox App Version is 2.0.0. Thanks!



However, here is an instance where it does not work, and where it's returning a RRSIG record_type. There is always an extracted timestamp:




Apr 21 08:51:12 named[18234]: 21-Apr-2021 08:51:12.351 client UDP: query: IN A response: NOERROR +EDV 300 IN A; 300 IN RRSIG A 13 3 300 20210422075112 20210420055112 34505 FR6lVgPJ3AI6aLoo+XCebNkTxORPa+pKk6CbFo0bs4Q/hnvCl3nN5E+9N6JRTUKe22XqOYFtoGBv1/9Q89ldaA==;

record_type = A record_type = RRSIG record_type = 20210422075112







Labels (1)
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!