Hello all,
I've been struggling with getting DNS into the Network Resolution (DNS) datamodel. After some digging I found that the message type was always getting set to unknown. Digging into it, it seems the issue is that the Network Resolution model is CIM 4.1.
I also noticed that the Splunk Addon for Microsoft Windows is on CIM 4.1 but no longer contains the MSAD:NT6 sourcetypes, which it used to (unless I'm crazy). Further digging found two independent apps that contain these sourcetypes but are only on CIM 4.0 and definitely are not qualified to fill the Network Resolution model very well.
Here is a list of sourcetypes in the curreent Addon for Windows:
http://docs.splunk.com/Documentation/WindowsAddOn/4.8.3/User/SourcetypesandCIMdatamodelinfo
Here are the two separate apps I mentioned:
https://splunkbase.splunk.com/app/3207/ (DHCP)
https://splunkbase.splunk.com/app/3208/ (DNS)
All three are built by Splunk, with the two independent ones being newer (June) than the Windows one (April), but an older version of CIM.
Unless I'm mistaken somewhere, this results in a gap in a canned solution for getting DNS logs into the Network Resolution model.
Am I misunderstanding something? If not, does anyone know of a pre-existing workaround? I can probably get it working, but I'd rather not reinvent the wheel if I don't have to!
Thanks!
