Getting Data In

How to alter data using SEDCMD in props.conf?

Sayanta_Basak_I
Explorer

We have the DNS debug logs coming onto the indexer.
Now each events will have an alpha-numeric pattern for 'domain name' in below fashion

(1)abc(2)def(3)ghif(4)

Now i want the highlighted data to be altered to a different format
I have used the below SEDCMD in props.conf but is does not seem to alter it as required

SEDCMD-win_dns = s/\(\d+\)/./g

Expectation: abc.def.ghif
Reality: .abc.def.ghif.

so it basically replaces all the '(digits)' with '.' But i want the extreme-placed integers to be converted to white space character
Is that possible?

0 Karma

sundareshr
Legend

Try this

SEDCMD-win_dns = s/(\(\d\))(\w+)(\(\d\))(\w+)(\(\d\))(\w+)(\(\d\))/\2\.\4\.\6/g
0 Karma

Sayanta_Basak_I
Explorer

Hi,

It does not seem to work!
Will it be possible for you to explain in short what logic you are using for this ?

Regards
Sayanta B

0 Karma

Sayanta_Basak_I
Explorer

Okay so I seem to have got the logic, strange its not working. maybe we can fix that.
Bu there is a different catch.

Every time the doamin name may not be the given format
(1)abc(2)def(3)ghif(4)

It cane be any of below 2 as well

(1)abc(2)def(3)
(1)abc(2)def(3)ghif(4)xyz(5)

Any thoughts on that

0 Karma

sundareshr
Legend

In that case, try three SEDCMD

SEDCMD-remove_parens_num = s/((\d))/./g
SEDCMD-remove_first_period = s/^(.)//g
SEDCMD-remove_last_period = s/(.)$//g

0 Karma

tomasmoser
Contributor

I have the same issue with MS Active Directory DNS server log format. Does not work. No change at all. I am desperate.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Ask in a separate/new question and I'd be happy to help you

0 Karma

tomasmoser
Contributor

I need to solve the same issue as in this threat - regardin MS DNS log format.

I have events like this:
1. 2. 2017 20:19:22 0D80 PACKET 0000002548D040A0 UDP Rcv 10.17.81.32 7be7 Q [0001 D NOERROR] A (5)h42-m(3)sec(3)lab(0)

The problem is with "(5)h42-m(3)sec(3)lab(0)"

I need to get events to look like this:

  1. 2. 2017 20:19:22 0D80 PACKET 0000002548D040A0 UDP Rcv 10.17.81.32 7be7 Q [0001 D NOERROR] A h42-m.sec.lab

When I implemented your suggestion in props.conf
SEDCMD-remove_parens_num = s/((\d))/./g
SEDCMD-remove_first_period = s/^(.)//g
SEDCMD-remove_last_period = s/(.)$//g

I stopped seeing my DNS logs in GUI permanently after restart of Splunk. I do not understand. If I removed your proposal, it's back again with wrong format.

Any idea?

Tomas

0 Karma

skoelpin
SplunkTrust
SplunkTrust

I solved your question.. Go post a new question with a description and I will post your answer

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...