- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Can you help me with some Windows DNS log parsing ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to ingest Windows DNS trace logs to Splunk. The Windows servers running the DNS service are running local universal forwarder installs, with the following defined in inputs.conf for their deployment app:
[monitor://C:\servicelog\dnslog.log]
disabled = 0
index = dns_data
sourcetype = MSAD:NT6:DNS
crcSalt =
While the data is showing up in the correct index with the right sourcetype, it is coming in as each individual line in the trace log file = one event in Splunk, so since each true 'DNS request' in the trace log is about 100+ lines, and Splunk is assigning a new event to each line instead of line breaking on the date, it's making it almost impossible to parse the info I need and tie it back to anything useful. The log itself on the Windows DNS server has a new line for everything, and doesn't break on the time either, so I am trying to force it to break on time, and put everything up to the next time event into a single Splunk event.
The time format in the DNS log is, for example: 4/2/2019 12:26:20 PM
I have created a props.conf and transforms.conf within the indexers' deployment app and pushed it out. The contents of the props.conf are:
[MSAD:NT6:DNS]
TRANSFORMS-dns-time = msad_dns_time
and the contents of the transforms.conf file are:
[msad_dns_time]
TIME_PREFIX = ^
TIME_FORMAT = %-m/%e/%Y %l:%M:%S %p
What am I missing? Any help would be appreciated. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ended up using AoD hours, had to strip the entire contents of the [MSAD:NT6:DNS] stanza from the TA's default/props.conf file, change SHOULD_LINEMERGE to true, then paste that into the indexers' /etc/system/local/props.conf files and restart the indexer cluster and now it's line breaking properly... hopefully that helps someone else out down the road if they find this thread.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ended up using AoD hours, had to strip the entire contents of the [MSAD:NT6:DNS] stanza from the TA's default/props.conf file, change SHOULD_LINEMERGE to true, then paste that into the indexers' /etc/system/local/props.conf files and restart the indexer cluster and now it's line breaking properly... hopefully that helps someone else out down the road if they find this thread.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As a follow on, I have tried it with the following all in props.conf on the indexers as well, without using a transforms file too, with no difference:
[MSAD:NT6:DNS]
SHOULD_LINEMERGE = true
TIME_PREFIX = ^
TIME_FORMAT = %-m/%e/%Y %l:%M:%S %p
BREAK_ONLY_BEFORE_DATE = true
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
