Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search Windows DNS logs for FQDN?

CarolinasFan
New Member
‎01-29-2015 11:38 AM

Splunk has our Windows DNS lookups as image(7)site(3)com. How do I search for image.site.com?

Tags (4)
0 Karma
Reply

delink
Communicator
‎09-09-2015 11:58 AM

If you want to get a correct field in place without having to modify the existing log file at index-time the way the other answer specifies, you will want to use the following field extraction in props.conf based on the TA included with the Windows Infrastructure app on Splunkbase. You can apply this eval statement to any sourcetype if you've brought in your DNS logs some other way.

[MSAD:NT6:DNS]
EVAL-fqdn=trim(replace(src_domain,"\([0-9]+\)","."),".")

This will replace all of the numbers in parentheses with dots, then trim the dots from the beginning and end so it will match how FQDN is usually represented in other apps and threat lists for correlation.

Reply

reswob4
Builder
‎01-29-2015 12:04 PM

This is the method I used to set up the DNS in splunk and it works very nicely

http://stratumsecurity.com/2012/07/03/splunk-security/

Reply

trevorQmulos
New Member
‎07-10-2017 05:04 PM

reswob4, any chance you can share the information from this site? Looks like its currently down and I am also trying to get rid of the (3) etc from my DNS logs.

0 Karma
Reply

reswob4
Builder
‎07-13-2017 10:22 AM

Whoa.. That whole site is gone.

Thank God for Internet Archive:

http://web.archive.org/web/20120717052050/http://www.stratumsecurity.com:80/2012/07/03/splunk-securi...

0 Karma
Reply

CarolinasFan
New Member
‎01-29-2015 12:25 PM

Thanks - I may be missing something, but is there a way I can format the search criteria without changing how the DNS is indexed?

0 Karma
Reply

reswob4
Builder
‎01-29-2015 12:52 PM

First question, to make sure we are on the same page: Are you collecting the DNS Trace Logs? If not, you won't be able to do the searches you are talking about. Searching against the logs Windows DNS records in its own eventlogs won't get you much information.

Now, if you are collecting the DNS trace logs, here's what I did:

Based on the link above, I created two field extractions:

(from my props.conf)
EXTRACT-Domain = (?i) .*? .(?P[-a-zA-Z0-9@:%_+.~#?;//=]{2,256}.[a-z]{2,6})
EXTRACT-src = (?i) Rcv (?P\d+.\d+.\d+.\d+)

These allow me to search by FQDN right in splunk.

If you want to search directly without changing how it's indexed, you may be able to leverage the regex above in the search parameters.

I suggest you create these under FIELDS --> FIELD EXTRACTIONS for whatever sourcetype is collecting your DNS Trace logs.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...