I am trying to use the SEDCMD when indexing Windows DNS logs as described in this solution:
http://splunk-base.splunk.com/answers/4546/field-extraction-regex-fu-help In a nutshell the Windows DNS logs have the domain name being queried in this format: (6)images(6)google(3)com(0) and I need them in this format images.google.com
I added these items to my props.conf in /opt/splunk/etc/system/local:
[source::/home/dnsuser/Downloads/dns1.log]
sourcetype = windns
[windns]
SEDCMD-domainname = s/(\(\d\))/./g
Then I restarted Splunk, created a new index called DNS and a new data input for the file /home/dnsuser/Downloads/dns1.log. In the data input I manually specified windns as the source type. The data is in there and my field extractions specified in transforms.conf are working fine as I can see them by specifying either index=dns or sourcetype=windns.
The domain name is extracted to a field called dns_query. When I view that field in the search results the domain name has not been modified by the SEDCMD. I know the syntax of the SEDCMD is correct because I can use it this way and the domain names are in the proper format:
index=dns | rex "((? (\w+((\d))){1,}?)$)" | rex mode=sed field=dns_query "s/(\(\d\))/./g"
Any help would be appreciated.
... View more