Splunk Search

Microsoft DNS debug logs. Massaging log format.

ageld
Path Finder

I have sending DNS debug log from forwarder on Windows 2003 to Splunk indexer:

The DNS names in the log appear like this:

(3)dns(8)msftncsi(3)com(0)
(3)www(16)google-analytics(3)com(0)

I would like they to appear as:
dns.msftncsi.com
www.google-analytics.com

I want prepending (\d+) to be replaced with nothing and the other ones to be replaced with dots except the trailing one.

I've figured out how to extract DNS names from the logs:

(?i)] \w+\s+(?P(.+))

I found a way to rid of (\d+) stuff with the following statements in search: sourcetype="DNSDebugLog" | eval dns_name=replace(dns_name,"(\d+)",".") | eval dns_name=replace(dns_name,"^.","") | table dns_name

but I do not want those to appear in the log at all. I want to replace those on the forwarder before the logs are sent to the indexer

Tags (1)

landen99
Motivator

Recently read an article covering that very topic. The following answers were found about 1/3 of the way down the following webpage: http://stratumsecurity.com/2012/07/03/splunk-security/

The following rex was suggested to clean up the domain name:

index="win_dns" imap | rex mode=sed "s/\(\d+\)/./g"

Domain name field extraction was suggested with this regex:

(?i) .*? \.(?P[-a-zA-Z0-9@:%_\+.~#?&//=]{2,256}\.[a-z]{2,4})
0 Karma

Mannyi31
Explorer

I have not done this but looking around I found this article talking about doing exacly what you are trying to do. It is for an older version of Splunk (4.1.3) but it is usefull:

http://splunk-base.splunk.com/answers/4546/field-extraction-regex-fu-help

Also check on this link for the updated information on SEDCMD, REGEX and SED:

http://docs.splunk.com/Documentation/Splunk/4.2.5/Data/Anonymizedatausingconfigurationfiles

Basically this is used to anonymize confidential data from the logs and can be used to replace values with different ones like what you are trying to do.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...