I am trying to use the SEDCMD when indexing Windows DNS logs as described in this solution:
http://splunk-base.splunk.com/answers/4546/field-extraction-regex-fu-help In a nutshell the Windows DNS logs have the domain name being queried in this format: (6)images(6)google(3)com(0) and I need them in this format images.google.com
I added these items to my props.conf in /opt/splunk/etc/system/local:
[source::/home/dnsuser/Downloads/dns1.log]
sourcetype = windns
[windns]
SEDCMD-domainname = s/(\(\d\))/./g
Then I restarted Splunk, created a new index called DNS and a new data input for the file /home/dnsuser/Downloads/dns1.log. In the data input I manually specified windns as the source type. The data is in there and my field extractions specified in transforms.conf are working fine as I can see them by specifying either index=dns or sourcetype=windns.
The domain name is extracted to a field called dns_query. When I view that field in the search results the domain name has not been modified by the SEDCMD. I know the syntax of the SEDCMD is correct because I can use it this way and the domain names are in the proper format:
index=dns | rex "((?
Any help would be appreciated.
SEDCMD-domainname = s/(\(\d+\))/./g
You had an extra "\" and needed an extra "+"
If you're using a LightForwarder or Universal Forwarder the SEDCMD configuration needs to exist on the indexer(s) which actually performs the parsing work.
I am having the same issue. On the Universal forwarder (Windows host) I have configured the following in $SPLUNK_HOME/etc/system/local/props.conf:
[sourcetype::DNSSrvLog]
SEDCMD-dns_name = s/((\(\d+\))/./g
and logs appeared not changed on the indexer
I tried different REGEXes. The one above. The ones below:
s/(\(\d+\))/./g
s/(\(\d+\))/./g
s/\(\d+\)/./g
s/(\d+)/./g
None of that worked. Any assistance will be appreciated.
SEDCMD doesn't work on the UF