I hade version 7.0.0 on the SH and upgraded to 8.7.0 but it didn't change anything for my problem. I tried two props.conf but was not using any of them. But I found an new props.conf on the community and now the query field is working, so I guess we can use this field. [MSAD:NT6:DNS] SEDCMD-win_dns-first = s/\(\d+\)/./g SEDCMD-win_dns-second = s/\s\.(.*)\.$/ \1/g Thank you. ... View more

I have no selfmade props.conf on SH only Splunk_TA_windows app from splunkbase. [MSAD:NT6:DNS] KV_MODE = none LINE_BREAKER = ([\r\n]+)(\d{1,2}.\d{1,2}.\d{4} \d{1,2}:\d{1,2}:\d{1,2} \w{2}) # Load balancing on UF EVENT_BREAKER_ENABLE = true EVENT_BREAKER = ([\r\n]+)(\d{1,2}.\d{1,2}.\d{4} \d{1,2}:\d{1,2}:\d{1,2} \w{2}) SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false EXTRACT-singleLine = (?<threadid>[0-9A-Fa-f]+)\s+(?<context>PACKET)\s+(?<packetid>[0-9A-Fa-f]*) (?<protocol>UDP|TCP) (?<direction>\w+) (?<src_ip>[0-9A-Fa-f\.\:]+)\s+(?<xid>[0-9A-Fa-f]+)\s+(?<operation>[ R]) (?<opcode>.) \[(?<hexflags>[0-9A-Fa-f]+) (?<flags>....) (?<response>[^\]]+)\]\s+(?:QTYPE\s+)?(?<questiontype>\w+)\s+(?:QCLASS\s+\d+\s+)?(:?\(\d+\))?(?<questionname>[^\n]*)\(0\) EXTRACT-answer = (ANSWER\s+SECTION|UPDATE\s+SECTION):(?<ANSWER_OR_UPDATE_SECTION>.*?)(AUTHORITY\s+SECTION|ADDITIONAL\s+SECTION) EVAL-query = replace(questionname,"(?:\(\d+\))",".") FIELDALIAS-record_type = questiontype AS record_type FIELDALIAS-query = questionname AS query FIELDALIAS-src=src_ip AS src FIELDALIAS-dest = host AS dest FIELDALIAS-transaction_id = packetid AS transaction_id FIELDALIAS-transport = protocol AS transport FIELDALIAS-vendor_query_type = opcode AS vendor_query_type EVAL-message_type = if(operation=="R","Response", "Query") EVAL-name = if(operation=="R","R","")+opcode+"_"+response+"_"+questiontype EVAL-answer = mvmap(answer, replace(replace(answer,"\(\d+\)","."),"\\[\\w+\\]","")) EVAL-vendor_product = "Microsoft Windows" REPORT-Multi_answer = Answer_multi_value REPORT-KV_for_microsoft_dns_web = KV_for_port,KV_for_Domain,KV_for_microsoftdns_action,KV_for_Record_type,KV_for_Record_Class,KV_for_Answer_Section_Count,KV_for_Update_Section_Count LOOKUP-windows_dns_query_type_lookup = windows_dns_query_type_lookup opcode OUTPUT query_type LOOKUP-windows_dns_action_lookup = windows_dns_action_lookup message_type,vendor_dns_action OUTPUT action,reply_code,reply_code_id LOOKUP-dns_recordclass_lookup = dns_recordclass_lookup record_class_number OUTPUT record_class ... View more

We have no own props.conf right now, that what I need suggestions for. The only props.conf with that sourcetype is from Splunk_TA_windows app at Splunkbase. [MSAD:NT6:DNS] KV_MODE = none SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false EXTRACT-threadid = (?<threadid>[0-9A-Fa-f]+)\s+(?<context>PACKET) EXTRACT-protocol = (?<packetid>[0-9A-Fa-f]*) (?<protocol>UDP|TCP) (?<direction>\w+) (?<src_ip>[0-9A-Fa-f\.\:]+)\s+ EXTRACT-opcode = (?<operation>[ R]) (?<opcode>.) \[(?<hexflags>[0-9A-Fa-f]+) (?<flags>....) (?<response>[^\]]+)\] EXTRACT-question1 = \] (?<questiontype>\w+)\s+(?<questionname>.*) EXTRACT-question2 = \] (?<questionname>[^\s]*)$ FIELDALIAS-query = questionname AS query FIELDALIAS-reply_code = response AS reply_code FIELDALIAS-transaction_id = packetid AS transaction_id FIELDALIAS-transport = protocol AS transport FIELDALIAS-vendor_query_type = opcode AS vendor_query_type REPORT_KV_for_microsoft_dns_web = KV_for_port,KV_for_Domain,KV_for_RecvdIP,KV_for_microsoftdns_action,KV_for_Record_type,KV_for_Record_Class LOOKUP-dns_action_lookup = dns_action_lookup vendor_dns_action OUTPUT action LOOKUP-dns_vendor_lookup = dns_vendor_lookup sourcetype OUTPUT vendor,product,app LOOKUP-dns_recordclass_lookup = dns_recordclass_lookup record_class_number OUTPUT record_class ... View more

Hi, Thank for your answer. Yes I am 100% sure that the src_domain field contains that DNS domain with (\d) Can you recommend an working props.conf at search time?     ... View more

Hi @gcusello , Thank you for the answer and sorry for not give you all information. We have multiple sourcetypes, will your suggestion work OR should I just one stanza per sourcetype in props.conf? Will the _meta field overwrite the accountname field? I want to keep the data in the accountname field as it is and add extra _meta from the accountname. Regards Jan ... View more

My fault of typo, thank you 😐 ... View more

Hi, This will only give me a lot of NULL values now. -J-     ... View more

The ip numbers should show up as 1.1.1.1 2.2.2.2 but showing as 1.1.1.12.2.2.2 ... View more

Hi, There is an app on splunkbase named Alerts For Splunk Admins. Have you tried the app to find the slowness?   Regards Jan ... View more