For our purposes with ipv6 I had to create a new transform and append it to the field extraction that came with the Infoblox app. After some digging I found the primary culprit to be the infoblox_dns_extract_field_16 extraction.
Since we are on Splunk Cloud this is all done in the GUI, but you can probably imagine the local/props.conf & local/transforms.conf settings that was needed behind the scenes.
#Transforms.conf
[illinois-urbana-infoblox_dns_extract_field_16]
REGEX = client\s((?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))#(\d{1,5})\:?\s[\S]+\s(?:query\s)?(?:\(cache\)\s)?'(\S+)'\sdenied
SOURCE_KEY = named_message
FORMAT = src_ip::$1 src_port::$2 cache_query::$3
#Props.conf
[infoblox:dns]
REPORT-dns_fields_2 = infoblox_dns_extract_field_11,infoblox_dns_extract_field_12,infoblox_dns_extract_field_13,infoblox_dns_extract_field_14,infoblox_dns_extract_field_15,infoblox_dns_extract_field_16,infoblox_dns_extract_field_17,illinois-urbana-infoblox_dns_extract_field_16
... View more