Splunk Search

DNS Line Braking Broker at midnight on the first of month

Motivator

Here is what my DNS logs look line

`Oct 31 23:59:59 ns2 named[19971]: 31-Oct-2013 23:59:59.999 queries: client xxx.xxx.xxx.xxx#33299: query: xxx.xxx.xxx.xxx.in-addr.arpa IN PTR + (xxx.xxx.xxx.xxx)

Nov 1 00:00:00 ns2 named[19971]: 01-Nov-2013 00:00:00.003 queries: client xxx.xxx.xxx.xxx#49419: query: Myserver.mydomain.com IN A + (xxx.xxx.xxx.xxx)

Nov 1 00:00:00 ns2 named[19971]: 01-Nov-2013 00:00:00.017 queries: client xxx.xxx.xxx.xxx#36802: query: 101.208.135.130.in-addr.arpa IN PTR + ()
`
Here is the transform in props.conf to collect the time stamp and line braking

[dns]
LINE_BREAKER = ([\r\n]+)\w+\s\d+\s[\d:]+
NO_BINARY_CHECK = 1
TZ = UTC
SHOULD_LINEMERGE = false
TIME_FORMAT = %d-%b-%Y %H:%M:%S.%3N
TIME_PREFIX = \]:\s
pulldown_type = 1

Some how the line braking is not working after midnight.
Instead of getting one line per I am gettinf odd numbers of lines like 3/4 or 45 lines per log

Can anyone help?

0 Karma

Motivator

I solved the issue

The extra space caused by gogin from double diget days to single diget days.

I started indexing on Oct 28 so the regex worked like this:

LINE_BREAKER = ([\r\n]+)\w+\s\d+\s[\d:]+

After the 31 there was an extra spamce between Nov and the 1st so I did this

LINE_BREAKER = ([\r\n]+)\w+\s+\d+\s[\d:]+

that solved the issue

0 Karma

Ultra Champion

Good that you found it. However, since this is single line events, you could make do with a slightly shorter config - simply skip the LINE_BREAKER.

0 Karma