Splunk Search

Microsoft DNS Query not parsing

Path Finder

Hello,

Here is what my dns queries are being indexed as. I am looking for a search time regex that will extract the (#) parts and replace with a ".". Below is what I have, which does the replacing fine. The issue is that any query with a "-" in it, gets choked at the first slash and put into the query field.

My search:
| eval newfield=ltrim(replace(src_domain, "(([\d]+))", "."),".")

Example query:
(6)fp-afd(9)azureedge(3)net(0)

What I want:
fp-afd.azureedge.net

What the eval gives:
fp

The eval statement works perfect for any query that doesn't contain a "-". Any help is appreciated.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this run anywhere search

| makeresults 
|  eval src_domain="(6)fp-afd(9)azureedge(3)net(0)" 
|  eval newfield=ltrim(replace(src_domain, "\([\d]+\)", "."),".")|  eval newfield=rtrim(newfield,".")

In your environment you should try

... |  eval src_domain="(6)fp-afd(9)azureedge(3)net(0)" 
    |  eval newfield=ltrim(replace(src_domain, "\([\d]+\)", "."),".")|  eval newfield=rtrim(newfield,".")

let me know if this helps!

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Try this run anywhere search

| makeresults 
|  eval src_domain="(6)fp-afd(9)azureedge(3)net(0)" 
|  eval newfield=ltrim(replace(src_domain, "\([\d]+\)", "."),".")|  eval newfield=rtrim(newfield,".")

In your environment you should try

... |  eval src_domain="(6)fp-afd(9)azureedge(3)net(0)" 
    |  eval newfield=ltrim(replace(src_domain, "\([\d]+\)", "."),".")|  eval newfield=rtrim(newfield,".")

let me know if this helps!

View solution in original post

0 Karma

Path Finder

Hey mayurr98,

So that works for that srcdomain but doesn't work for all of the values in srcdomain. For instance, this query "PTB-HG-LOG.ad.test.com" shows up only as "PTB" in the src_domain field.

0 Karma

SplunkTrust
SplunkTrust

it is giving me correct values.

| makeresults 
 |  eval src_domain="(6)fp-afd(9)azureedge(3)net(0) PTB-HG-LOG.ad.test.com" 
| makemv src_domain 
| mvexpand src_domain
 |  eval newfield=ltrim(replace(src_domain, "\([\d]+\)", "."),".")|  eval newfield=rtrim(newfield,".")

can you give exact sample input for which this query doesnt work?
or else show the screenshot of the output with query and src_domain and new field

0 Karma

Path Finder

search: index=msad | makemv srcdomain | mvexpand srcdomain | eval newfield=ltrim(replace(src_domain, "([\d]+)", "."),".") | eval newfield=rtrim(newfield,".")

The bold query below is an another example. When I look in the "newfield" field, the value is just "client" not "client-office365-tas.msedge.net

4/6/2018 2:03:24 PM 0C38 PACKET 000002C8F8BC4520 UDP Snd 192.168.115.33 afad R Q [8081 DR NOERROR] A (20)client-office365-tas(6)msedge(3)net(0)
UDP response info at 000002C8F8BC4520
Socket = 716
Remote addr 192.168.115.33, port 54724
Time Query=607061, Queued=0, Expire=0
Buf length = 0x0200 (512)
Msg length = 0x00a0 (160)
Message:
XID 0xafad
Flags 0x8180
QR 1 (RESPONSE)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 1
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 3
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(20)client-office365-tas(6)msedge(3)net(0)"

0 Karma

Path Finder

Its strange because I know what you posted is working when you specify | eval src_domain = "url" but when I run it against the index, it doesn't seem to work.

I appreciate your help and will continue to tinker around with it.

-Jordan

0 Karma