Solved: How Do I Obtain the Valid Part of DNS Logs?

dickens8866 · ‎02-03-2020

Dear All,

I'm trying to retrieve and parse windows dns log, the sample looks like this:

1/23/2020 11:59:42 PM 0B50 PACKET 000001F5A879FCD0 UDP Snd 10.231.150.89 b40e R Q [8081 DR NOERROR] A (3)www(15)msftconnecttest(3)com(0)
After installed plunk Add-on for Microsoft Windows DNS , it can automatically extract filed query = (3)www(15)msftconnecttest(3)com(0). But the query name looks very strange, the real name should be www.msftconnecttest.com.

So my question is , how to parse or transform the query name into correct format. maybe need to write some regular expression
or something, but i'm not good at it.

nickhills · ‎02-04-2020

Not tested, but you could try:

|eval fixedDNS = replace(badDns, "\(\d+\)","\.")
Where badDNS is the field that contains "(3)www(15)msftconnecttest(3)com(0)"

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills · ‎02-04-2020

Not tested, but you could try:

|eval fixedDNS = replace(badDns, "\(\d+\)","\.")
Where badDNS is the field that contains "(3)www(15)msftconnecttest(3)com(0)"

If my comment helps, please give it a thumbs up!

How Do I Obtain the Valid Part of DNS Logs?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!