New to SPLUNK but so far its great!
I have a Windows 2008 DNS debug log that contains domain names. I need to define a field DOMAIN so I can extract these domain names and compare them to a watchlist of known botnet domains. Nothing new i dont think. My records look like below.
My10/24/2012 1:46:58 PM 077C PACKET 0000000003AF6580 UDP Rcv 10.41.72.18 31a0 Q [0001 D NOERROR] A .ixa-mar11.global.amec.com.
10/24/2012 1:44:00 PM 077C PACKET 0000000003A0DB50 UDP Snd 220.127.116.11 1275 Q [1000 NOERROR] A .fpdownload.macromedia.com.edgekey.net.
I am trying to use the built in SPLUNK > Extract Fields but it has a problem with the variable length domain names. I cannot generate a REGEX command to do this for me to save me. Since the domain names can be variable in lenght i just cant get it.
Any help would be tremedously appreciated.
The problem with the above answers is that 2008 R2+ servers log in a format like:
2/12/2013 3:33:47 PM 17D4 PACKET 0000000004236180 UDP Rcv 10.1.1.1 4666 Q [0001 D NOERROR] A (4)host(9)subdomain(7)domain(3)com(0)
So you have to extract it and take into account the (#) that counts the characters provided.
I would match from the right. I've tested this with Regex Buddy with sample set you provided.
Match 1: .ixa-mar11.global.amec.com. 114 28
Match 2: .fpdownload.macromedia.com.edgekey.net. 256 40
Hope this helps or gets you started.
@bill_dishman, Here are some variations of the regex statement. Thy all work with the samples your provided from you comment and your question. Its possible you have a char or whitespace that I am not accounting for Hope this helps.
Don't foget to thumbs up or accepts answer on the board.
I just dont see my domain field in all records in a search.
56 » 10/24/110/24/2012 2:10:51 PM 077C PACKET 0000000003592E80 UDP Rcv 10.41.72.18 df51 Q [0001 D NOERROR] A .avamericas2.global.amec.com.host=ATT1-DNS1 Options| sourcetype=WINDNS Options| source=C:\dns.log Options
57 » 10/24/12
2:01:58.000 PM 10/24/2012 2:01:58 PM 077C PACKET UDP Snd 18.104.22.168 6688 Q [1000 NOERROR] A .ixa-mar11.global.amec.com.host=ATT1-DNS1 Options| sourcetype=WINDNS Options| source=C:\dns.log Options| domain=ixa-mar11.global.amec.com. Options
Not sure if I understand what you mean by all of them in the dataset. If the field extractor is not highlighting all domain names in your data set then the regex should be rewritten/modified for your needs. Given your limited sample it dificult to build a regex for all possiblities.
I would recommend purchasing a product like RegEx Buddy and visiting http://www.regular-expressions.info which has great info. I still reference occationaly.
Sorry if I couldn't be of more assitance to you.
Thanks for the help. I am really new to this. So i went back to SPLUNK>Extract and put what you have given me into the "Generated pattern (regex)" where i can EDIT it .. and I now have this:
(?i) A .(?P
fieldname = your dc_name
When i APPLY this, or TEST it, it shows me my data, and hightlights the matches , but only shows me highlighted domain names but not all of them in the data set.
Sorry i dont know much about this. First time. Do you think i am good??????? Looks good.
And. Thank you very very much