We have the DNS debug logs coming onto the indexer.
Now each events will have an alpha-numeric pattern for 'domain name' in below fashion
Now i want the highlighted data to be altered to a different format
I have used the below SEDCMD in props.conf but is does not seem to alter it as required
SEDCMD-win_dns = s/\(\d+\)/./g
so it basically replaces all the '(digits)' with '.' But i want the extreme-placed integers to be converted to white space character
Is that possible?
Okay so I seem to have got the logic, strange its not working. maybe we can fix that.
Bu there is a different catch.
Every time the doamin name may not be the given format
It cane be any of below 2 as well
Any thoughts on that
I need to solve the same issue as in this threat - regardin MS DNS log format.
I have events like this:
1. 2. 2017 20:19:22 0D80 PACKET 0000002548D040A0 UDP Rcv 10.17.81.32 7be7 Q [0001 D NOERROR] A (5)h42-m(3)sec(3)lab(0)
The problem is with "(5)h42-m(3)sec(3)lab(0)"
I need to get events to look like this:
When I implemented your suggestion in props.conf
SEDCMD-remove_parens_num = s/((\d))/./g
SEDCMD-remove_first_period = s/^(.)//g
SEDCMD-remove_last_period = s/(.)$//g
I stopped seeing my DNS logs in GUI permanently after restart of Splunk. I do not understand. If I removed your proposal, it's back again with wrong format.