Re: Find duration on transaction where field name ...

pkcbailey · ‎05-28-2019

Sample data:

May 25 01:51:14 ns1 named[32063]: zone somezone.net/IN/default: notify from 192.168.10.20#31830: serial 558310538
May 25 03:16:17 ns1 named[32063]: zone somezone.net/IN/default: transferred serial 558310538: TSIG 'view12345'

My issue is, without using the serial number which I've not been able to map to the same field name, the data won't be tracked correctly in a transaction. I get transactions with serial number that don't match. I need to know how long it took the DNS to notify then transfer somezone.net for the same exact serial number.

pkcbailey · ‎05-28-2019

Here was the query I started with: index=dns host=ns1 ((notify AND serial) OR serial) somezone.net |transaction zonename startswith=notify endswith=transferred |where duration>600 |table duration

jodyfsu · ‎05-28-2019

Before we address the transaction, you say, "without using the serial number which I've not been able to map to the same field name,"...

Will a rex not work to get you the serial number, then you could use the serial number for the transaction?

pkcbailey · ‎05-28-2019

I'm not sure how to rex that into a single value.

jodyfsu · ‎05-28-2019

Does this work:

|rex "serial\s(?<SERIALNUMB>\d+)"

pkcbailey · ‎05-29-2019

None of the rex code folks have provided group the transaction with the same serial number yet.

aromanauskas · ‎06-02-2019

Try this:

index=dns host=ns1 ((notify AND serial) OR serial) somezone.net |rex "\s+serial\s+(?<serial_test>\d+)" | transaction serial_test,zonename max_events=2  startswith=notify endswith=transferred| where duration>600 |table duration

Find duration on transaction where field name doesn't match

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!