DNS Line Braking Broker at midnight on the first o...

hartfoml · ‎11-01-2013

Here is what my DNS logs look line

`Oct 31 23:59:59 ns2 named[19971]: 31-Oct-2013 23:59:59.999 queries: client xxx.xxx.xxx.xxx#33299: query: xxx.xxx.xxx.xxx.in-addr.arpa IN PTR + (xxx.xxx.xxx.xxx)

Nov 1 00:00:00 ns2 named[19971]: 01-Nov-2013 00:00:00.003 queries: client xxx.xxx.xxx.xxx#49419: query: Myserver.mydomain.com IN A + (xxx.xxx.xxx.xxx)

Nov 1 00:00:00 ns2 named[19971]: 01-Nov-2013 00:00:00.017 queries: client xxx.xxx.xxx.xxx#36802: query: 101.208.135.130.in-addr.arpa IN PTR + ()
`
Here is the transform in props.conf to collect the time stamp and line braking

[dns] LINE_BREAKER = ([\r\n]+)\w+\s\d+\s[\d:]+ NO_BINARY_CHECK = 1 TZ = UTC SHOULD_LINEMERGE = false TIME_FORMAT = %d-%b-%Y %H:%M:%S.%3N TIME_PREFIX = \]:\s pulldown_type = 1
Some how the line braking is not working after midnight.
Instead of getting one line per I am gettinf odd numbers of lines like 3/4 or 45 lines per log

Can anyone help?

hartfoml · ‎11-01-2013

I solved the issue

The extra space caused by gogin from double diget days to single diget days.

I started indexing on Oct 28 so the regex worked like this:

LINE_BREAKER = ([\r\n]+)\w+\s\d+\s[\d:]+

After the 31 there was an extra spamce between Nov and the 1st so I did this

LINE_BREAKER = ([\r\n]+)\w+\s+\d+\s[\d:]+

that solved the issue

kristian_kolb · ‎11-01-2013

Good that you found it. However, since this is single line events, you could make do with a slightly shorter config - simply skip the LINE_BREAKER.

DNS Line Braking Broker at midnight on the first of month

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!