``` Above I have included 2 separate events. Note * I added brackets for sanitization in this post, the real events have no square brackets. These are from a DNS Resolver. I've been using a splunk app I've modified to handle extraction of fields. The current stanza in props.conf is: EXTRACT-queries = info: resolving (?P<query>(?:.[^\.\s]+)*)\.\s(?P<query_type>\S+)
Both of these work fine testing outside splunk. But have strange behavior when used in splunk.
This annoyingly is including the ending period in the query field. Which I specifically wrote the regex to exclude. query = "acceptor.mcafee-mvision-mobile[.]com.", query_type = "A" query = "ns-1608.awsdns-09[.]co[.]uk.", query_type = "AAAA"
I'm no splunk expert nor am I a regex expert but I don't see how the match for the query group is including the last period after the TLD. Any help or suggestions would be appreciated. I think ive given enough info but if you need more let me know.