Splunk Search

Find duration on transaction where field name doesn't match

New Member

Sample data:

May 25 01:51:14 ns1 named[32063]: zone somezone.net/IN/default: notify from 192.168.10.20#31830: serial 558310538
May 25 03:16:17 ns1 named[32063]: zone somezone.net/IN/default: transferred serial 558310538: TSIG 'view12345'

My issue is, without using the serial number which I've not been able to map to the same field name, the data won't be tracked correctly in a transaction. I get transactions with serial number that don't match. I need to know how long it took the DNS to notify then transfer somezone.net for the same exact serial number.

0 Karma

New Member

Here was the query I started with: index=dns host=ns1 ((notify AND serial) OR serial) somezone.net |transaction zonename startswith=notify endswith=transferred |where duration>600 |table duration

0 Karma

Path Finder

Before we address the transaction, you say, "without using the serial number which I've not been able to map to the same field name,"...

Will a rex not work to get you the serial number, then you could use the serial number for the transaction?

0 Karma

New Member

I'm not sure how to rex that into a single value.

0 Karma

Path Finder

Does this work:

|rex "serial\s(?<SERIALNUMB>\d+)"
0 Karma

New Member

None of the rex code folks have provided group the transaction with the same serial number yet.

0 Karma

Path Finder

Try this:

index=dns host=ns1 ((notify AND serial) OR serial) somezone.net |rex "\s+serial\s+(?<serial_test>\d+)" | transaction serial_test,zonename max_events=2  startswith=notify endswith=transferred| where duration>600 |table duration
0 Karma