Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to reduce the DNS logs using regex?

kiran331
Builder
‎06-15-2017 07:57 AM

Hi

I have the DNS debug logs enabled, is there a way to index only failures ignoring the successful one's?

I have many events with NOERROR in msg, I hae to ignore the events with NOERROR in msg and index rest of events. how to edits props.conf and transforms.conf to make it work?

6/15/2017 9:54:10 AM 0CFC PACKET 000000F39767C180 UDP Snd 1.2.3.3 1603 R Q [8081 DR NOERROR] A (5)ctldl(13)windowsupdate(3)com(0)

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-15-2017 08:08 AM

Hi
try with this configurations:

Props.conf

[your_sourcetype]
TRANSFORMS-set-DNS=set_DNS,set_nullqueue

Transforms.conf

########## discard ##########

[set_nullqueue]
REGEX=NOERROR 
DEST_KEY=queue
FORMAT=nullQueue

########## filter ##########

[set_DNS]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue

verify (using Splunk) if regex is correct!

For more information see http://docs.splunk.com/Documentation/Splunk/6.6.1/Forwarding/Routeandfilterdatad

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-15-2017 08:08 AM

Hi
try with this configurations:

Props.conf

[your_sourcetype]
TRANSFORMS-set-DNS=set_DNS,set_nullqueue

Transforms.conf

########## discard ##########

[set_nullqueue]
REGEX=NOERROR 
DEST_KEY=queue
FORMAT=nullQueue

########## filter ##########

[set_DNS]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue

verify (using Splunk) if regex is correct!

For more information see http://docs.splunk.com/Documentation/Splunk/6.6.1/Forwarding/Routeandfilterdatad

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

kiran331
Builder
‎06-15-2017 01:39 PM

Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...