All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Wrong time format in Microsoft DNS TA

Robbie1194
Communicator
‎05-02-2018 06:39 AM

Hi guys,

I've posted a sample DNS log with some random data:

02/05/2018 14:15:24 1264 PACKET 0000008AE9170080 UDP Rcv 0.0.0.0 7c4d Q [0001 D NOERROR] SRV (16)_kerberos-master(4)_tcp(3)RANDOM(3)CA0)

We're trying to ingest these logs into Splunk which has been partially successful. We began to ingest the data, however, the timestamps are taken incorrectly.

As we are in the UK 02/05/2018 should be the 2nd of May 2018 but it's only searchable as the 5th of February 2018. We are using the Microsoft DNS TA on a UF send the data via a heavy forwarder and then to the indexers. I've tried adding the below stanza to props.conf on the UF and the heavy forwarder but still the date only shows as the American Format. Anyone got any ideas on how to fix this?

[MSAD:NT6:DNS]
TIME_FORMAT = %d/%m/%Y

The default props.conf in the DNS TA doesn't have anything relating to timestamps which is also very confusing?

Any advice would be appreciated.

Cheers!

0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-02-2018 06:47 AM

Hey, what you're using looks like the "old" Microsoft DNS debug logs, where everything is written to a single file in a pretty terrible format.
The Windows DNS TA however refers in it's installation instructions to this microsoft article, which tells you that you need either Windows Server 2012R2 or 2016, and requires a certain hotfix installed in case of 2012R2.

So, you gotta follow that article, enable the proper logging, and the TA will then work with that data. The older debug style logs are not supported by the TA and are actually quite terrible 😉

Edit:

You're right - the regexes match the old debug log style, but the linked article in the installation manual points to the new method.
Whatever, if it works for you, let's try the timestamp recognition.

TIME_FORMAT = %d/%m/%Y %H:%M:%S

This also includes the time, maybe this works better. The timestamp you get is a common format, also in the US day + month are twisted. Splunk recognizes such timestamps by default, so no configuration is needed, and therefore you don't see it in the TA's default props.conf. BTW, this config should go on the first HF/indexer the data goes to.

If this doesn't work out, please run this on the CLI:
/opt/splunk/bin/splunk btool props list MSAD:NT6:DNS --debug and post the output as a comment here.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

Reply

Robbie1194
Communicator
‎05-02-2018 06:59 AM

Hi xpac,

Thanks for trying to help but I don't think theres anything wrong with the log format. I think changing the logging settings on multiple domain controllers would be harder than just figuring out how to fix this timestamp issue.The TA deals with all field extractions fine, it's only failing on the timestamp.

Thanks!

0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-03-2018 01:39 AM

We're you able to try this?

0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-02-2018 07:22 AM

I updated my first answer, please check it out.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...