Getting Data In
Highlighted

How to alter data using SEDCMD in props.conf?

We have the DNS debug logs coming onto the indexer.
Now each events will have an alpha-numeric pattern for 'domain name' in below fashion

(1)abc(2)def(3)ghif(4)

Now i want the highlighted data to be altered to a different format
I have used the below SEDCMD in props.conf but is does not seem to alter it as required

SEDCMD-win_dns = s/\(\d+\)/./g

Expectation: abc.def.ghif
Reality: .abc.def.ghif.

so it basically replaces all the '(digits)' with '.' But i want the extreme-placed integers to be converted to white space character
Is that possible?

0 Karma
Highlighted

Re: How to alter data using SEDCMD in props.conf?

Legend

Try this

SEDCMD-win_dns = s/(\(\d\))(\w+)(\(\d\))(\w+)(\(\d\))(\w+)(\(\d\))/\2\.\4\.\6/g
0 Karma
Highlighted

Re: How to alter data using SEDCMD in props.conf?

Hi,

It does not seem to work!
Will it be possible for you to explain in short what logic you are using for this ?

Regards
Sayanta B

0 Karma
Highlighted

Re: How to alter data using SEDCMD in props.conf?

Okay so I seem to have got the logic, strange its not working. maybe we can fix that.
Bu there is a different catch.

Every time the doamin name may not be the given format
(1)abc(2)def(3)ghif(4)

It cane be any of below 2 as well

(1)abc(2)def(3)
(1)abc(2)def(3)ghif(4)xyz(5)

Any thoughts on that

0 Karma
Highlighted

Re: How to alter data using SEDCMD in props.conf?

Legend

In that case, try three SEDCMD

SEDCMD-removeparensnum = s/((\d))/./g
SEDCMD-removefirstperiod = s/^(.)//g
SEDCMD-removelastperiod = s/(.)$//g

0 Karma
Highlighted

Re: How to alter data using SEDCMD in props.conf?

Communicator

I have the same issue with MS Active Directory DNS server log format. Does not work. No change at all. I am desperate.

0 Karma
Highlighted

Re: How to alter data using SEDCMD in props.conf?

SplunkTrust
SplunkTrust

Ask in a separate/new question and I'd be happy to help you

0 Karma
Highlighted

Re: How to alter data using SEDCMD in props.conf?

Communicator

I need to solve the same issue as in this threat - regardin MS DNS log format.

I have events like this:
1. 2. 2017 20:19:22 0D80 PACKET 0000002548D040A0 UDP Rcv 10.17.81.32 7be7 Q [0001 D NOERROR] A (5)h42-m(3)sec(3)lab(0)

The problem is with "(5)h42-m(3)sec(3)lab(0)"

I need to get events to look like this:

  1. 2. 2017 20:19:22 0D80 PACKET 0000002548D040A0 UDP Rcv 10.17.81.32 7be7 Q [0001 D NOERROR] A h42-m.sec.lab

When I implemented your suggestion in props.conf
SEDCMD-removeparensnum = s/((\d))/./g
SEDCMD-removefirstperiod = s/^(.)//g
SEDCMD-removelastperiod = s/(.)$//g

I stopped seeing my DNS logs in GUI permanently after restart of Splunk. I do not understand. If I removed your proposal, it's back again with wrong format.

Any idea?

Tomas

0 Karma
Highlighted

Re: How to alter data using SEDCMD in props.conf?

SplunkTrust
SplunkTrust

I solved your question.. Go post a new question with a description and I will post your answer

0 Karma