Why does the Splunk Add-on for Infoblox not always...

nrizzi · ‎04-20-2021

In the Splunk Add-on for Infoblox, the record_type field does not always parse correctly--especially instances in which there RRSIG records returned. Here is an instance where the parsing works fine.

Apr 21 08:41:27 xxx.xx.xxx.xx named[10396]: 21-Apr-2021 08:41:27.792 client xx.xxx.xx.xx#60438: UDP: query: self.events.data.microsoft.com IN A response: NOERROR + self.events.data.microsoft.com. 2064 IN CNAME self-events-data.trafficmanager.net.; self-events-data.trafficmanager.net. 6 IN CNAME skypedataprdcolcus14.cloudapp.net.; skypedataprdcolcus14.cloudapp.net. 3 IN A xx.xx.xxx.xxx;

record_type = CNAME record_type = CNAME record_type = A

Infoblox App Version is 2.0.0. Thanks!

However, here is an instance where it does not work, and where it's returning a RRSIG record_type. There is always an extracted timestamp:

Apr 21 08:51:12 xxx.xxx.x.xx named[18234]: 21-Apr-2021 08:51:12.351 client xxx.xxx.xx.xx#36237: UDP: query: data.lseg.com IN A response: NOERROR +EDV data.lseg.com. 300 IN A xxx.xxx.x.xx; data.lseg.com. 300 IN RRSIG A 13 3 300 20210422075112 20210420055112 34505 lseg.com. FR6lVgPJ3AI6aLoo+XCebNkTxORPa+pKk6CbFo0bs4Q/hnvCl3nN5E+9N6JRTUKe22XqOYFtoGBv1/9Q89ldaA==;

record_type = A record_type = RRSIG record_type = 20210422075112

Why does the Splunk Add-on for Infoblox not always parse the record_type field correctly?

troubleshooting

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk