I am unable to parse windows logs in splunk. My raw event contains
2)35(2)48(3)199(3)157(7)in-addr(4)arpa(0). I want to remove the
() for the domain name.
I tried to configure the following in props.conf on the indexers and restarted them but no luck:
[DNS] MAX_TIMESTAMP_LOOKAHEAD=128 TRUNCATE=20000 DATETIME_CONFIG=CURRENT NO_BINARY_CHECK=true SHOULD_LINEMERGE=false disabled=false SEDCMD-win_dns = s/\(\d+\)/./g
Any assistance in troubleshooting this issue is greatly appreciated.
In addition to the query like this (2)35(2)48(3)199(3)157(7)in-addr(4)arpa(0), the logs are followed by UDP Response and many lines..
] A (2)35(2)48(3)199(3)157(7)in-addr(4)arpa(0)
When I used - SEDCMD-win_dns = s/\(\d+\)/./g s/\s\.(.*)\.$/ \1/g
the log is formatted as ] A .126.96.36.199.in-addr.arpa.
There is a 'dot' at the end. Can you please advise on how to remove the trailing dot alone
sedcmd only happens at index time. Can you confirm you're not using a heavy forwarder to send the data in? Also, you may want to try using rex to get the regular expression right first, and then move it to a sedcmd search .... | rex field=fieldname mode=sec "s/\(\d+\)/./g" | table fieldname I'm thinking you may need a \ in front of the . as well Especially in windows as the windows regex is funny at times.
Yes I am not using heavy forwarder. The logs are collected on universal forwarder and send to the indexer for parsing.
I am able to use the following query in search time, and hence tried to make this permanent by copying it in props.conf
THe following is the query I am trying to execute:
index=dns | rex mode=sed "s/(\d+)/./g"
and I am getting the domain name without the () brackets.
But unable to copy the same in props.conf and get similar results:
SEDCMD-win_dns = s/(\d+)/./g
In current versions of Splunk, a lot of the Windows event log parsing happens on Universal Forwarders as well - do deploy that props.conf to your forwarder and see if it correctly changes newly indexed events from then on.