Splunk Search

Microsoft DNS Query not parsing

Path Finder

Hello,

Here is what my dns queries are being indexed as. I am looking for a search time regex that will extract the (#) parts and replace with a ".". Below is what I have, which does the replacing fine. The issue is that any query with a "-" in it, gets choked at the first slash and put into the query field.

My search:
| eval newfield=ltrim(replace(src_domain, "(([\d]+))", "."),".")

Example query:
(6)fp-afd(9)azureedge(3)net(0)

What I want:
fp-afd.azureedge.net

What the eval gives:
fp

The eval statement works perfect for any query that doesn't contain a "-". Any help is appreciated.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this run anywhere search

| makeresults 
|  eval src_domain="(6)fp-afd(9)azureedge(3)net(0)" 
|  eval newfield=ltrim(replace(src_domain, "\([\d]+\)", "."),".")|  eval newfield=rtrim(newfield,".")

In your environment you should try

... |  eval src_domain="(6)fp-afd(9)azureedge(3)net(0)" 
    |  eval newfield=ltrim(replace(src_domain, "\([\d]+\)", "."),".")|  eval newfield=rtrim(newfield,".")

let me know if this helps!

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Try this run anywhere search

| makeresults 
|  eval src_domain="(6)fp-afd(9)azureedge(3)net(0)" 
|  eval newfield=ltrim(replace(src_domain, "\([\d]+\)", "."),".")|  eval newfield=rtrim(newfield,".")

In your environment you should try

... |  eval src_domain="(6)fp-afd(9)azureedge(3)net(0)" 
    |  eval newfield=ltrim(replace(src_domain, "\([\d]+\)", "."),".")|  eval newfield=rtrim(newfield,".")

let me know if this helps!

View solution in original post

0 Karma

Path Finder

Hey mayurr98,

So that works for that src_domain but doesn't work for all of the values in src_domain. For instance, this query "PTB-HG-LOG.ad.test.com" shows up only as "PTB" in the src_domain field.

0 Karma

SplunkTrust
SplunkTrust

it is giving me correct values.

| makeresults 
 |  eval src_domain="(6)fp-afd(9)azureedge(3)net(0) PTB-HG-LOG.ad.test.com" 
| makemv src_domain 
| mvexpand src_domain
 |  eval newfield=ltrim(replace(src_domain, "\([\d]+\)", "."),".")|  eval newfield=rtrim(newfield,".")

can you give exact sample input for which this query doesnt work?
or else show the screenshot of the output with query and src_domain and new field

0 Karma

Path Finder

search: index=msad | makemv src_domain | mvexpand src_domain | eval newfield=ltrim(replace(src_domain, "([\d]+)", "."),".") | eval newfield=rtrim(newfield,".")

The bold query below is an another example. When I look in the "newfield" field, the value is just "client" not "client-office365-tas.msedge.net

4/6/2018 2:03:24 PM 0C38 PACKET 000002C8F8BC4520 UDP Snd 192.168.115.33 afad R Q [8081 DR NOERROR] A (20)client-office365-tas(6)msedge(3)net(0)
UDP response info at 000002C8F8BC4520
Socket = 716
Remote addr 192.168.115.33, port 54724
Time Query=607061, Queued=0, Expire=0
Buf length = 0x0200 (512)
Msg length = 0x00a0 (160)
Message:
XID 0xafad
Flags 0x8180
QR 1 (RESPONSE)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 1
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 3
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(20)client-office365-tas(6)msedge(3)net(0)"

0 Karma

Path Finder

Its strange because I know what you posted is working when you specify | eval src_domain = "url" but when I run it against the index, it doesn't seem to work.

I appreciate your help and will continue to tinker around with it.

-Jordan

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!