Re: Unable to parse dns windows logs in splunk

OMohi · ‎10-31-2015

I am unable to parse windows logs in splunk. My raw event contains 2)35(2)48(3)199(3)157(7)in-addr(4)arpa(0). I want to remove the () for the domain name.

I tried to configure the following in props.conf on the indexers and restarted them but no luck:

[DNS]
MAX_TIMESTAMP_LOOKAHEAD=128
TRUNCATE=20000
DATETIME_CONFIG=CURRENT
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
disabled=false
SEDCMD-win_dns = s/\(\d+\)/./g

Any assistance in troubleshooting this issue is greatly appreciated.

Thanks,
Mohammed Mohiuddin

spayneort · ‎11-06-2015

This is what I use:

[MSAD:NT6:DNS]
SEDCMD-win_dns-first = s/\(\d+\)/./g
SEDCMD-win_dns-second = s/\s\.(.*)\.$/ \1/g

woodcock · ‎11-07-2015

You should be able to chain those together like this:

[MSAD:NT6:DNS]
SEDCMD-win_dns = s/\(\d+\)/./g s/\s\.(.*)\.$/ \1/g

aswin_asok · ‎11-20-2020

Hi,

In addition to the query like this (2)35(2)48(3)199(3)157(7)in-addr(4)arpa(0), the logs are followed by UDP Response and many lines..

Ex.

] A (2)35(2)48(3)199(3)157(7)in-addr(4)arpa(0)

UDP Response......

When I used - SEDCMD-win_dns = s/$\d+$/./g s/\s\.(.*)\.$/ \1/g

the log is formatted as ] A .35.48.199.157.in-addr.arpa.

There is a 'dot' at the end. Can you please advise on how to remove the trailing dot alone

jkat54 · ‎10-31-2015

Try using

\d

instead of d, also escape the ( & ) else you're forming a capture group

SEDCMD-win_dns = s/\(\d+\)/./g

martin_mueller · ‎10-31-2015

The backslashes in the question were lost in formatting, I've fixed them.

jkat54 · ‎10-31-2015

sedcmd only happens at index time.  Can you confirm you're not using a heavy forwarder to send the data in?

Also, you may want to try using rex to get the regular expression right first, and then move it to a sedcmd

search .... | rex field=fieldname mode=sec "s/\(\d+\)/./g" | table fieldname

I'm thinking you may need a \ in front of the . as well  Especially in windows as the windows regex is funny at times.

OMohi · ‎11-01-2015

Yes I am not using heavy forwarder. The logs are collected on universal forwarder and send to the indexer for parsing.

I am able to use the following query in search time, and hence tried to make this permanent by copying it in props.conf

THe following is the query I am trying to execute:

index=dns | rex mode=sed "s/(\d+)/./g"

and I am getting the domain name without the () brackets.

But unable to copy the same in props.conf and get similar results:
[DNS]
MAX_TIMESTAMP_LOOKAHEAD=128
TRUNCATE=20000
DATETIME_CONFIG=CURRENT
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
disabled=false
SEDCMD-win_dns = s/(\d+)/./g

martin_mueller · ‎11-01-2015

In current versions of Splunk, a lot of the Windows event log parsing happens on Universal Forwarders as well - do deploy that props.conf to your forwarder and see if it correctly changes newly indexed events from then on.

OMohi · ‎11-03-2015

Yes I have made the props entry on the UF's as well and restarted, but still no luck.

Thanks

jkat54 · ‎11-04-2015

Try this:

s/((\d+))/./g

and this

s/\((\d+)\)/./g

We should check the docs to see what regex style windows uses, escape characters etc...

I like to change config and restart many times...

jkat54 · ‎11-04-2015

maybe this too:

s/\(\(\d+\)\)/./g

go crazy... you'll find it and post it back as the answer please ;-)

jkat54 · ‎11-02-2015

Interesting... good to know too!

Unable to parse dns windows logs in splunk

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life