Getting Data In

SEDCMD help with Windows DNS logs


I am trying to use the SEDCMD when indexing Windows DNS logs as described in this solution: In a nutshell the Windows DNS logs have the domain name being queried in this format: (6)images(6)google(3)com(0) and I need them in this format

I added these items to my props.conf in /opt/splunk/etc/system/local:

sourcetype = windns

SEDCMD-domainname = s/(\(\d\))/./g

Then I restarted Splunk, created a new index called DNS and a new data input for the file /home/dnsuser/Downloads/dns1.log. In the data input I manually specified windns as the source type. The data is in there and my field extractions specified in transforms.conf are working fine as I can see them by specifying either index=dns or sourcetype=windns.

The domain name is extracted to a field called dns_query. When I view that field in the search results the domain name has not been modified by the SEDCMD. I know the syntax of the SEDCMD is correct because I can use it this way and the domain names are in the proper format:

index=dns | rex "((?(\w+((\d))){1,}?)$)" | rex mode=sed field=dns_query "s/(\(\d\))/./g"

Any help would be appreciated.

SEDCMD-domainname = s/(\(\d+\))/./g

You had an extra "\" and needed an extra "+"

0 Karma


If you're using a LightForwarder or Universal Forwarder the SEDCMD configuration needs to exist on the indexer(s) which actually performs the parsing work.

0 Karma

Path Finder

I am having the same issue. On the Universal forwarder (Windows host) I have configured the following in $SPLUNK_HOME/etc/system/local/props.conf:

SEDCMD-dns_name = s/((\(\d+\))/./g

and logs appeared not changed on the indexer

I tried different REGEXes. The one above. The ones below:





None of that worked. Any assistance will be appreciated.

0 Karma


SEDCMD doesn't work on the UF

0 Karma