DNS Line Braking Broker at midnight on the first o...

hartfoml · ‎11-01-2013

Here is what my DNS logs look line

`Oct 31 23:59:59 ns2 named[19971]: 31-Oct-2013 23:59:59.999 queries: client xxx.xxx.xxx.xxx#33299: query: xxx.xxx.xxx.xxx.in-addr.arpa IN PTR + (xxx.xxx.xxx.xxx)

Nov 1 00:00:00 ns2 named[19971]: 01-Nov-2013 00:00:00.003 queries: client xxx.xxx.xxx.xxx#49419: query: Myserver.mydomain.com IN A + (xxx.xxx.xxx.xxx)

Nov 1 00:00:00 ns2 named[19971]: 01-Nov-2013 00:00:00.017 queries: client xxx.xxx.xxx.xxx#36802: query: 101.208.135.130.in-addr.arpa IN PTR + ()
`
Here is the transform in props.conf to collect the time stamp and line braking

[dns] LINE_BREAKER = ([\r\n]+)\w+\s\d+\s[\d:]+ NO_BINARY_CHECK = 1 TZ = UTC SHOULD_LINEMERGE = false TIME_FORMAT = %d-%b-%Y %H:%M:%S.%3N TIME_PREFIX = \]:\s pulldown_type = 1
Some how the line braking is not working after midnight.
Instead of getting one line per I am gettinf odd numbers of lines like 3/4 or 45 lines per log

Can anyone help?

hartfoml · ‎11-01-2013

I solved the issue

The extra space caused by gogin from double diget days to single diget days.

I started indexing on Oct 28 so the regex worked like this:

LINE_BREAKER = ([\r\n]+)\w+\s\d+\s[\d:]+

After the 31 there was an extra spamce between Nov and the 1st so I did this

LINE_BREAKER = ([\r\n]+)\w+\s+\d+\s[\d:]+

that solved the issue

kristian_kolb · ‎11-01-2013

Good that you found it. However, since this is single line events, you could make do with a slightly shorter config - simply skip the LINE_BREAKER.

DNS Line Braking Broker at midnight on the first of month

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!