Splunk Search

How to write the regex to convert an entry in my sample DNS logs to a readable URL format?

lakromani
Builder

Our DNS server logs' date in the following format:

02.03.2016 13:57:08 027C PACKET  0220AFE8 UDP Snd 10.10.10.160    6f8b R Q [8081   DR  NOERROR] A     (5)nexus(10)officeapps(4)live(3)com(0)
02.03.2016 14:06:33 027C PACKET  02C0D668 UDP Snd 10.10.10.130    6fc3 R Q [8081   DR  NOERROR] A     (7)android(10)googleapis(3)com(0)

How do I use eval to get:

url=nexus.officeapps.live.com
url=android.googleapis.com

I have tried several regex to get out various groups, but url varies in length.

0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

Try this:

your search here
| rex field=_raw "\[[^\]]+\]\s+A\s+\(\d+\)(?<url>\S+?)\(\d+\)$"
| rex mode=sed field=url max_match=0 "s/(\(\d+\))/./g"

Example:

| stats count
| eval event = " 02.03.2016 13:57:08 027C PACKET  0220AFE8 UDP Snd 10.10.10.160    6f8b R Q [8081   DR  NOERROR] A     (5)nexus(10)officeapps(4)live(3)com(0)"
| rex field=event "\[[^\]]+\]\s+A\s+\(\d+\)(?<url>\S+?)\(\d+\)$"
| rex mode=sed field=url max_match=0 "s/(\(\d+\))/./g"

Output: url = nexus.officeapps.live.com

View solution in original post

javiergn
SplunkTrust
SplunkTrust

Try this:

your search here
| rex field=_raw "\[[^\]]+\]\s+A\s+\(\d+\)(?<url>\S+?)\(\d+\)$"
| rex mode=sed field=url max_match=0 "s/(\(\d+\))/./g"

Example:

| stats count
| eval event = " 02.03.2016 13:57:08 027C PACKET  0220AFE8 UDP Snd 10.10.10.160    6f8b R Q [8081   DR  NOERROR] A     (5)nexus(10)officeapps(4)live(3)com(0)"
| rex field=event "\[[^\]]+\]\s+A\s+\(\d+\)(?<url>\S+?)\(\d+\)$"
| rex mode=sed field=url max_match=0 "s/(\(\d+\))/./g"

Output: url = nexus.officeapps.live.com

lakromani
Builder

Works perfectly.
Follow up question. Can this be done in Props.conf? If so, how?

0 Karma

javiergn
SplunkTrust
SplunkTrust

Yes, see this:

http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Createandmaintainsearch-timefieldextract...

And look for the inline (via props.conf) or advanced (via props.conf and transforms.conf).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...