I am again in need of help with regex. In a scrubbed example (there are thousands more lines) of the following dns log I have the following:
4/13/2016 5:22:38 AM 062C PACKET 000000FE74EC0260 UDP Rcv 999.99.999.999 8088 Q [0001 D NOERROR] A (12)biggersearch(3)ent(4)john(5)local(0)
4/13/2016 5:22:37 AM 062C PACKET 000000FE766DC0A0 UDP Rcv 999.99.999.999 635d Q [0001 D NOERROR] A (3)dns(8)msftncsi(3)com(0)
I need to strip out
(12)biggersearch(3)ent(4)john(5)local(0)
to be
biggersearch.ent.john.local
and
(3)dns(8)msftncsi(3)com(0)
to be
dns.msftncs.com
Please help and many thanks...
Hi and thank you,
I got the first part of this in my props.conf and I modified it a little and it works perfectly...
\[[^\]]+\]\s+\w*\s+\(\d+\)(?\S+?)\(\d+\)$
I am unsure on how and where to place the remainder of this (I am assuming it goes into transforms.conf?):
s/(\(\d+\))/./g
Please help me finish this up and thank you again...
Hi,
Could you post your regex again but using the code button above (the one with 1s and 0s)? Otherwise special characters will be removed.
With regards to your question about props and transforms, see the following links on how to use both files for advanced field extraction.
https://answers.splunk.com/answers/132965/using-transforms-to-replace-raw-data-vs-sedcmd.html
https://answers.splunk.com/answers/210096/how-to-configure-sedcmd-in-propsconf.html
Hope that helps.
EXTRACT-url = \[[^\]]+\]\s+\w*\s+\(\d+\)(?<url>\S+?)\(\d+\)$
and my url comes out as
biggersearch(3)ent(4)john(5)local
I am having difficulty getting it to be
biggersearch.ent.john.local
Just unsure as to how to finish it up via transforms.conf
Many thanks and I apologize for being confused on this subject
If you're already extracting that in props, maybe just finish up there with an eval, something like this?
EVAL-url = replace(url,"\(\d+\)",".")
The eval should be processed after the extract.
Works like a charm! Thanks to you both for helping me put this all together.