Splunk Search

Active Directory DNS debug logs extract domain name

splunkranger
Path Finder

props.conf
[win_dns]
SEDCMD-win_dns = s/(\d+)/./g
SEDCMD-domainname = s/(\(\d\))/./g
EXTRACT-dns_name = (?i)] \w+\s+(?P(.+))

Example of dns_name

.hostname.domainname.org.

Can you help advise on how to remove the leading and trailing periods on dns_name ?

Thank you

0 Karma

jawaharas
Motivator

Below configuration in props.conf will fetch domain name.

[MSAD:NT6:DNS]
EXTRACT-question1 = \] (?<questiontype>\w+)\s+(?<questionname>.*)
EXTRACT-question2 = \] (?<questionname>[^\s]*)$
EVAL-domain = trim(replace(questionname, "(\([\d]+\))", "."),".")
0 Karma

splunkranger
Path Finder

Thank you

The best example I have is below, the field has a leading and trailing period. I would like remove. I can do it at search time using replace however if it can be done at index time it would be better.

.hostname.domainname.org.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

'EXTRACT-dns_name = (?i)] w+s+\.(?P<dns_name>(.+))' should get rid of the leading period. You should be able to get rid of both of them using 'EXTRACT-dns_name = (?i)] w+s+\.(?P<dns_name>(.+))\.<foo>' where is the delimiter marking the end of dns_name (space or comma, for example). Seeing an example event would help improve this answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

It would be useful to see the raw event data that is being indexed, especially the parts immediately before and after the domain name.

---
If this reply helps you, Karma would be appreciated.
0 Karma

pjohnson1
Path Finder

Here you go Rich...

09/08/2015 23:58:56 1C78 PACKET  000000000A12C7D0 UDP Rcv 111.222.333.444   05da   Q [0001   D   NOERROR] A      .www.bluecoat.com.
0 Karma

daniel_augustyn
Contributor

Were you able to figure this out?

0 Karma

splunkranger
Path Finder

Thank you

The best example I have is below, the field has a leading and trailing period. I would like remove. I can do it at search time using replace however if it can be done at index time it would be better.

.hostname.domainname.org.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...