Solved: How to write regex to capture multiple groups and ...

joshuamcqueen · ‎08-21-2014

Stumped on a regex problem and need a hand. Basically, I have DNS logs that come in like this:

8/21/2014 9:32:20 AM 0E5C PACKET 000000298F0CA280 UDP Rcv 10.2.56.13 136b Q [0001 D NOERROR] PTR (2)25(2)21(1)5(2)10(7)in-addr(4)arpa(0)

8/21/2014 9:32:20 AM 0E60 PACKET 000000298EE81DF0 UDP Rcv 10.2.4.60 7d30 Q [0001 D NOERROR] A (14)usca-cdst-sw01(3)domain(3)com(0)

8/21/2014 9:32:20 AM 0E60 PACKET 00000029936FBF70 UDP Rcv 10.2.4.60 ce83 Q [0001 D NOERROR] A (14)usca-edge-sw01(3)domain(3)com(0)

8/21/2014 9:32:20 AM 0E60 PACKET 00000029936FBF70 UDP Rcv 10.2.4.60 db29 Q [0001 D NOERROR] A (14)usxo-core-vg02(3)domain(3)com(0)

8/21/2014 9:32:20 AM 0E60 PACKET 000000298EE81DF0 UDP Rcv 10.2.4.60 42b1 Q [0001 D NOERROR] A (14)brca-rvrb-wo01(3)bru(3)domain(3)com(0)

Towards the end of each event, you'll see something like, "(14)ussp-usrv-rt01(3)domain(3)com(0)"

Basically, I'm trying to write regex to convert this into "ussp-usrv-rt01.domain.com"

My strategy was to capture everything after NOERROR]\s+\w+\s+ to end of line, then replace the parenthesis with a period. Having trouble getting it just right.

Any suggestions? Thanks!

somesoni2 · ‎08-21-2014

Try this

your base search  | rex mode=sed "s/(\([\d*\w*]*\))/./g"

View solution in original post

somesoni2 · ‎08-21-2014

Try this

your base search  | rex mode=sed "s/(\([\d*\w*]*\))/./g"

joshuamcqueen · ‎08-21-2014

There is a blog article that talks about this approach: http://stratumsecurity.com/2012/07/03/splunk-security/

How to write regex to capture multiple groups and replace parentheses with periods from DNS Logs?

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Enterprise Security Content Update (ESCU) | New Releases