Why does the Splunk Add-on for Infoblox not always...

nrizzi · ‎04-20-2021

In the Splunk Add-on for Infoblox, the record_type field does not always parse correctly--especially instances in which there RRSIG records returned. Here is an instance where the parsing works fine.

Apr 21 08:41:27 xxx.xx.xxx.xx named[10396]: 21-Apr-2021 08:41:27.792 client xx.xxx.xx.xx#60438: UDP: query: self.events.data.microsoft.com IN A response: NOERROR + self.events.data.microsoft.com. 2064 IN CNAME self-events-data.trafficmanager.net.; self-events-data.trafficmanager.net. 6 IN CNAME skypedataprdcolcus14.cloudapp.net.; skypedataprdcolcus14.cloudapp.net. 3 IN A xx.xx.xxx.xxx;

record_type = CNAME record_type = CNAME record_type = A

Infoblox App Version is 2.0.0. Thanks!

However, here is an instance where it does not work, and where it's returning a RRSIG record_type. There is always an extracted timestamp:

Apr 21 08:51:12 xxx.xxx.x.xx named[18234]: 21-Apr-2021 08:51:12.351 client xxx.xxx.xx.xx#36237: UDP: query: data.lseg.com IN A response: NOERROR +EDV data.lseg.com. 300 IN A xxx.xxx.x.xx; data.lseg.com. 300 IN RRSIG A 13 3 300 20210422075112 20210420055112 34505 lseg.com. FR6lVgPJ3AI6aLoo+XCebNkTxORPa+pKk6CbFo0bs4Q/hnvCl3nN5E+9N6JRTUKe22XqOYFtoGBv1/9Q89ldaA==;

record_type = A record_type = RRSIG record_type = 20210422075112

Why does the Splunk Add-on for Infoblox not always parse the record_type field correctly?

troubleshooting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation