Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Problem in Splunk for DNS

sdsajjadi
New Member
‎08-13-2011 10:19 PM

I installed splunk 4.2.3 and I want to monitor statistics of BIND 9.7.2 (DNS) queries through it. I used SPLUNK FOR BIND application and installed it in splunk panel, but in dashboard I can't see any graph and splunk shows me this (in more info link):

search sourcetype=named eventtype=named_event host="" named_query_type="" | timechart count by host usenull="f" useother="f"

It seems that splunk can't find BIND log files and events.
I made a props.conf file and put it in /opt/splunk/etc/apps/named/local. its content is:

[named]
pulldown_type = true
maxDist = 3
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
TRANSFORMS = syslog-host
REPORT-syslog = syslog-extractions
SHOULD_LINEMERGE = False

[source::/var/named/data/named.log]
sourcetype=named

what is the problem in drawng DNS graphs?

Tags (1)
0 Karma
Reply

ftk
Motivator
‎08-16-2011 11:38 PM

Have you defined any inputs and actually indexed any bind data yet? I see you put a [source::/var/log/named...] stanza in props.conf. Do you actually have a matching [monitor::] stanza in inputs.conf that is pulling the data in?

I recommend taking a look at the Getting Data In chapter of the docs, specifically the section on monitoring files and directories. These should get you started on getting the data into splunk so you can use the app on it.

Reply

sdsajjadi
New Member
‎08-16-2011 10:16 PM

I have inserted named.log path in props.conf file and splunk daemon is running. Should I do anything else?

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎08-15-2011 01:32 AM

Hi sdsajjadi

just one thought: is the user running the splunkd process, able to read the named log in your [named] stanza?

regards

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...