I have no selfmade props.conf on SH only Splunk_TA_windows app from splunkbase. [MSAD:NT6:DNS] KV_MODE = none LINE_BREAKER = ([\r\n]+)(\d{1,2}.\d{1,2}.\d{4} \d{1,2}:\d{1,2}:\d{1,2} \w{2}) # Load balancing on UF EVENT_BREAKER_ENABLE = true EVENT_BREAKER = ([\r\n]+)(\d{1,2}.\d{1,2}.\d{4} \d{1,2}:\d{1,2}:\d{1,2} \w{2}) SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false EXTRACT-singleLine = (?<threadid>[0-9A-Fa-f]+)\s+(?<context>PACKET)\s+(?<packetid>[0-9A-Fa-f]*) (?<protocol>UDP|TCP) (?<direction>\w+) (?<src_ip>[0-9A-Fa-f\.\:]+)\s+(?<xid>[0-9A-Fa-f]+)\s+(?<operation>[ R]) (?<opcode>.) \[(?<hexflags>[0-9A-Fa-f]+) (?<flags>....) (?<response>[^\]]+)\]\s+(?:QTYPE\s+)?(?<questiontype>\w+)\s+(?:QCLASS\s+\d+\s+)?(:?\(\d+\))?(?<questionname>[^\n]*)\(0\) EXTRACT-answer = (ANSWER\s+SECTION|UPDATE\s+SECTION):(?<ANSWER_OR_UPDATE_SECTION>.*?)(AUTHORITY\s+SECTION|ADDITIONAL\s+SECTION) EVAL-query = replace(questionname,"(?:\(\d+\))",".") FIELDALIAS-record_type = questiontype AS record_type FIELDALIAS-query = questionname AS query FIELDALIAS-src=src_ip AS src FIELDALIAS-dest = host AS dest FIELDALIAS-transaction_id = packetid AS transaction_id FIELDALIAS-transport = protocol AS transport FIELDALIAS-vendor_query_type = opcode AS vendor_query_type EVAL-message_type = if(operation=="R","Response", "Query") EVAL-name = if(operation=="R","R","")+opcode+"_"+response+"_"+questiontype EVAL-answer = mvmap(answer, replace(replace(answer,"\(\d+\)","."),"\\[\\w+\\]","")) EVAL-vendor_product = "Microsoft Windows" REPORT-Multi_answer = Answer_multi_value REPORT-KV_for_microsoft_dns_web = KV_for_port,KV_for_Domain,KV_for_microsoftdns_action,KV_for_Record_type,KV_for_Record_Class,KV_for_Answer_Section_Count,KV_for_Update_Section_Count LOOKUP-windows_dns_query_type_lookup = windows_dns_query_type_lookup opcode OUTPUT query_type LOOKUP-windows_dns_action_lookup = windows_dns_action_lookup message_type,vendor_dns_action OUTPUT action,reply_code,reply_code_id LOOKUP-dns_recordclass_lookup = dns_recordclass_lookup record_class_number OUTPUT record_class
... View more