Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Matching A vs AAAA rex help

dondky
Path Finder
‎10-21-2013 09:59 AM

All,

I'm stuck on a regex issue. Not sure how I can match A records vs AAAA records within windows dns logs. I came up with the following:

sourcetype=windns* | rex "NOERROR]\s(?(?:A|PTR|SRV|TXT|AAAA))\s" | table record_type

However, my AAAA records don't return, I'm thinking this is because the A is matched and the match stops there. How would one match A and AAAA records?

Here is a sample data set:

20131021 12:24:06 1190 PACKET 05D2B130 UDP Rcv 192.168.x.x e31f Q [0001 D NOERROR] A test.example.com
20131021 12:24:06 1190 PACKET 1D4EE140 UDP Rcv 192.168.x.x 3d6d Q [0001 D NOERROR] AAAA test.example.com

Any pointers or assistance would be helpful.

Thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-21-2013 10:07 AM

Why be so specific? Just take everything between "NOERROR]" and the DNS name as the record type.

| rex "NOERROR]\s(?<record_type>.*?)\s" |

If you only want to see specific record types, use a where clause after the rex.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

dondky
Path Finder
‎10-21-2013 10:07 AM

Might be answering my own question but I think I found a solution with the following:

sourcetype=windns* | rex "NOERROR]\s(?<record_type>(?:A|PTR|SRV|TXT|\bAAAA\b))\s" | table record_type. Still open to how others would solve this though.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-21-2013 10:07 AM

Why be so specific? Just take everything between "NOERROR]" and the DNS name as the record type.

| rex "NOERROR]\s(?<record_type>.*?)\s" |

If you only want to see specific record types, use a where clause after the rex.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-21-2013 10:24 AM

Please accept this answer if it solves your problem.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

dondky
Path Finder
‎10-21-2013 10:16 AM

Wow, this is much better I tried .* route but never added the ? hence I went the specific route. Thanks for pointing this out.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...