Getting Data In

Unable to parse dns windows logs in splunk

Path Finder

I am unable to parse windows logs in splunk. My raw event contains 2)35(2)48(3)199(3)157(7)in-addr(4)arpa(0). I want to remove the () for the domain name.

I tried to configure the following in props.conf on the indexers and restarted them but no luck:

[DNS]
MAX_TIMESTAMP_LOOKAHEAD=128
TRUNCATE=20000
DATETIME_CONFIG=CURRENT
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
disabled=false
SEDCMD-win_dns = s/\(\d+\)/./g

Any assistance in troubleshooting this issue is greatly appreciated.

Thanks,
Mohammed Mohiuddin

Tags (2)
0 Karma

Contributor

This is what I use:

[MSAD:NT6:DNS]
SEDCMD-win_dns-first = s/\(\d+\)/./g
SEDCMD-win_dns-second = s/\s\.(.*)\.$/ \1/g

Esteemed Legend

You should be able to chain those together like this:

[MSAD:NT6:DNS]
SEDCMD-win_dns = s/\(\d+\)/./g s/\s\.(.*)\.$/ \1/g

SplunkTrust
SplunkTrust

Try using

\d

instead of d, also escape the ( & ) else you're forming a capture group

SEDCMD-win_dns = s/\(\d+\)/./g
0 Karma

SplunkTrust
SplunkTrust

The backslashes in the question were lost in formatting, I've fixed them.

0 Karma

SplunkTrust
SplunkTrust
sedcmd only happens at index time.  Can you confirm you're not using a heavy forwarder to send the data in?

Also, you may want to try using rex to get the regular expression right first, and then move it to a sedcmd

search .... | rex field=fieldname mode=sec "s/\(\d+\)/./g" | table fieldname

I'm thinking you may need a \ in front of the . as well  Especially in windows as the windows regex is funny at times. 
0 Karma

Path Finder

Yes I am not using heavy forwarder. The logs are collected on universal forwarder and send to the indexer for parsing.

I am able to use the following query in search time, and hence tried to make this permanent by copying it in props.conf

THe following is the query I am trying to execute:

index=dns | rex mode=sed "s/(\d+)/./g"

and I am getting the domain name without the () brackets.

But unable to copy the same in props.conf and get similar results:
[DNS]
MAX_TIMESTAMP_LOOKAHEAD=128
TRUNCATE=20000
DATETIME_CONFIG=CURRENT
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
disabled=false
SEDCMD-win_dns = s/(\d+)/./g

0 Karma

SplunkTrust
SplunkTrust

In current versions of Splunk, a lot of the Windows event log parsing happens on Universal Forwarders as well - do deploy that props.conf to your forwarder and see if it correctly changes newly indexed events from then on.

Path Finder

Yes I have made the props entry on the UF's as well and restarted, but still no luck.

Thanks

0 Karma

SplunkTrust
SplunkTrust

Try this:

s/((\d+))/./g

and this

s/\((\d+)\)/./g

We should check the docs to see what regex style windows uses, escape characters etc...

I like to change config and restart many times...

0 Karma

SplunkTrust
SplunkTrust

maybe this too:

s/\(\(\d+\)\)/./g

go crazy... you'll find it and post it back as the answer please ;-)
0 Karma

SplunkTrust
SplunkTrust

Interesting... good to know too!

0 Karma