I am unable to parse windows logs in splunk. My raw event contains 2)35(2)48(3)199(3)157(7)in-addr(4)arpa(0)
. I want to remove the ()
for the domain name.
I tried to configure the following in props.conf on the indexers and restarted them but no luck:
[DNS]
MAX_TIMESTAMP_LOOKAHEAD=128
TRUNCATE=20000
DATETIME_CONFIG=CURRENT
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
disabled=false
SEDCMD-win_dns = s/\(\d+\)/./g
Any assistance in troubleshooting this issue is greatly appreciated.
Thanks,
Mohammed Mohiuddin
This is what I use:
[MSAD:NT6:DNS]
SEDCMD-win_dns-first = s/\(\d+\)/./g
SEDCMD-win_dns-second = s/\s\.(.*)\.$/ \1/g
You should be able to chain those together like this:
[MSAD:NT6:DNS]
SEDCMD-win_dns = s/\(\d+\)/./g s/\s\.(.*)\.$/ \1/g
Hi,
In addition to the query like this (2)35(2)48(3)199(3)157(7)in-addr(4)arpa(0), the logs are followed by UDP Response and many lines..
Ex.
] A (2)35(2)48(3)199(3)157(7)in-addr(4)arpa(0)
UDP Response......
When I used - SEDCMD-win_dns = s/\(\d+\)/./g s/\s\.(.*)\.$/ \1/g
the log is formatted as ] A .35.48.199.157.in-addr.arpa.
There is a 'dot' at the end. Can you please advise on how to remove the trailing dot alone
Try using
\d
instead of d, also escape the ( & ) else you're forming a capture group
SEDCMD-win_dns = s/\(\d+\)/./g
The backslashes in the question were lost in formatting, I've fixed them.
sedcmd only happens at index time. Can you confirm you're not using a heavy forwarder to send the data in?
Also, you may want to try using rex to get the regular expression right first, and then move it to a sedcmd
search .... | rex field=fieldname mode=sec "s/\(\d+\)/./g" | table fieldname
I'm thinking you may need a \ in front of the . as well Especially in windows as the windows regex is funny at times.
Yes I am not using heavy forwarder. The logs are collected on universal forwarder and send to the indexer for parsing.
I am able to use the following query in search time, and hence tried to make this permanent by copying it in props.conf
THe following is the query I am trying to execute:
index=dns | rex mode=sed "s/(\d+)/./g"
and I am getting the domain name without the () brackets.
But unable to copy the same in props.conf and get similar results:
[DNS]
MAX_TIMESTAMP_LOOKAHEAD=128
TRUNCATE=20000
DATETIME_CONFIG=CURRENT
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
disabled=false
SEDCMD-win_dns = s/(\d+)/./g
In current versions of Splunk, a lot of the Windows event log parsing happens on Universal Forwarders as well - do deploy that props.conf to your forwarder and see if it correctly changes newly indexed events from then on.
Yes I have made the props entry on the UF's as well and restarted, but still no luck.
Thanks
Try this:
s/((\d+))/./g
and this
s/\((\d+)\)/./g
We should check the docs to see what regex style windows uses, escape characters etc...
I like to change config and restart many times...
maybe this too:
s/\(\(\d+\)\)/./g
go crazy... you'll find it and post it back as the answer please ;-)
Interesting... good to know too!