Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: SEDCMD help with Windows DNS logs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SEDCMD help with Windows DNS logs
I am trying to use the SEDCMD when indexing Windows DNS logs as described in this solution:
http://splunk-base.splunk.com/answers/4546/field-extraction-regex-fu-help In a nutshell the Windows DNS logs have the domain name being queried in this format: (6)images(6)google(3)com(0) and I need them in this format images.google.com
I added these items to my props.conf in /opt/splunk/etc/system/local:
[source::/home/dnsuser/Downloads/dns1.log]
sourcetype = windns
[windns]
SEDCMD-domainname = s/(\(\d\))/./g
Then I restarted Splunk, created a new index called DNS and a new data input for the file /home/dnsuser/Downloads/dns1.log. In the data input I manually specified windns as the source type. The data is in there and my field extractions specified in transforms.conf are working fine as I can see them by specifying either index=dns or sourcetype=windns.
The domain name is extracted to a field called dns_query. When I view that field in the search results the domain name has not been modified by the SEDCMD. I know the syntax of the SEDCMD is correct because I can use it this way and the domain names are in the proper format:
index=dns | rex "((?
Any help would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SEDCMD-domainname = s/(\(\d+\))/./g
You had an extra "\" and needed an extra "+"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're using a LightForwarder or Universal Forwarder the SEDCMD configuration needs to exist on the indexer(s) which actually performs the parsing work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having the same issue. On the Universal forwarder (Windows host) I have configured the following in $SPLUNK_HOME/etc/system/local/props.conf:
[sourcetype::DNSSrvLog]
SEDCMD-dns_name = s/((\(\d+\))/./g
and logs appeared not changed on the indexer
I tried different REGEXes. The one above. The ones below:
s/(\(\d+\))/./g
s/(\(\d+\))/./g
s/\(\d+\)/./g
s/(\d+)/./g
None of that worked. Any assistance will be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SEDCMD doesn't work on the UF
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
