Solved: How to reduce the DNS logs using regex?

kiran331 · ‎06-15-2017

Hi

I have the DNS debug logs enabled, is there a way to index only failures ignoring the successful one's?

I have many events with NOERROR in msg, I hae to ignore the events with NOERROR in msg and index rest of events. how to edits props.conf and transforms.conf to make it work?

6/15/2017 9:54:10 AM 0CFC PACKET 000000F39767C180 UDP Snd 1.2.3.3 1603 R Q [8081 DR NOERROR] A (5)ctldl(13)windowsupdate(3)com(0)

gcusello · ‎06-15-2017

Hi
try with this configurations:

Props.conf

[your_sourcetype]
TRANSFORMS-set-DNS=set_DNS,set_nullqueue

Transforms.conf

########## discard ##########

[set_nullqueue]
REGEX=NOERROR 
DEST_KEY=queue
FORMAT=nullQueue

########## filter ##########

[set_DNS]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue

verify (using Splunk) if regex is correct!

For more information see http://docs.splunk.com/Documentation/Splunk/6.6.1/Forwarding/Routeandfilterdatad

Bye.
Giuseppe

View solution in original post

gcusello · ‎06-15-2017

Hi
try with this configurations:

Props.conf

[your_sourcetype]
TRANSFORMS-set-DNS=set_DNS,set_nullqueue

Transforms.conf

########## discard ##########

[set_nullqueue]
REGEX=NOERROR 
DEST_KEY=queue
FORMAT=nullQueue

########## filter ##########

[set_DNS]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue

verify (using Splunk) if regex is correct!

For more information see http://docs.splunk.com/Documentation/Splunk/6.6.1/Forwarding/Routeandfilterdatad

Bye.
Giuseppe

kiran331 · ‎06-15-2017

Thank you.

How to reduce the DNS logs using regex?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes