I have sending DNS debug log from forwarder on Windows 2003 to Splunk indexer:
The DNS names in the log appear like this:
(3)dns(8)msftncsi(3)com(0)
(3)www(16)google-analytics(3)com(0)
I would like they to appear as:
dns.msftncsi.com
www.google-analytics.com
I want prepending (\d+) to be replaced with nothing and the other ones to be replaced with dots except the trailing one.
I've figured out how to extract DNS names from the logs:
(?i)] \w+\s+(?P
I found a way to rid of (\d+) stuff with the following statements in search: sourcetype="DNSDebugLog" | eval dns_name=replace(dns_name,"(\d+)",".") | eval dns_name=replace(dns_name,"^.","") | table dns_name
but I do not want those to appear in the log at all. I want to replace those on the forwarder before the logs are sent to the indexer
Recently read an article covering that very topic. The following answers were found about 1/3 of the way down the following webpage: http://stratumsecurity.com/2012/07/03/splunk-security/
The following rex was suggested to clean up the domain name:
index="win_dns" imap | rex mode=sed "s/\(\d+\)/./g"
Domain name field extraction was suggested with this regex:
(?i) .*? \.(?P[-a-zA-Z0-9@:%_\+.~#?&//=]{2,256}\.[a-z]{2,4})
I have not done this but looking around I found this article talking about doing exacly what you are trying to do. It is for an older version of Splunk (4.1.3) but it is usefull:
http://splunk-base.splunk.com/answers/4546/field-extraction-regex-fu-help
Also check on this link for the updated information on SEDCMD, REGEX and SED:
http://docs.splunk.com/Documentation/Splunk/4.2.5/Data/Anonymizedatausingconfigurationfiles
Basically this is used to anonymize confidential data from the logs and can be used to replace values with different ones like what you are trying to do.