Getting Data In

Can I run two SEDCMDs together in one

wbfoxii
Communicator

I see this article:

http://splunk-base.splunk.com/answers/46024/multiple-sedcmds

But I also see this in the documentation for props.conf:

A sed script is a space-separated list of sed commands. Currently the following subset of
sed commands is supported:
* replace (s) and character substitution (y).

So I have these ridiculous Microsoft DNS servers that give you FQDNs that look like this:

(8)testserv(7)company(3)com(0)

Can I put this in props.conf for the sourcetype to remove the (0) and convert the others to dots?

SEDCMD-win_dns = s/(0)// s/(\d+)/./g

Tags (1)

wbfoxii
Communicator

Nuts - posting eliminated a bunch of the backslashes I used for escaping the parens and the d

Grrr. Anyway, stringing the sedcmds together and trying to do two on separate lines didn't work

0 Karma

wbfoxii
Communicator

So I tested and using this syntax does not work:


SEDCMD-win_dns = s/(0)// s/(\d+)/./g

It just did nothing.

Putting in in like this:


SEDCMD-win_dns = s/(0)//
SEDCMD-win_dns2 = s/(\d+)/./g

resulted in extra lines, so that was a failure. I guess I'm beat and I need to live with extra periods, then just get rid of them in the field extraction.

0 Karma

wbfoxii
Communicator

Artifact Schmartifact. A BIND server can put a valid, unobfuscated FQDN in a log record. Why does Microsoft make it hard?

0 Karma

sowings
Splunk Employee
Splunk Employee

Just to be clear, the "ridiculous" part of those parenthetical digits is actually an artifact of the way the DNS query / reply is encoded in the packet. It represents the number of bytes in the following string. The (0) means "the end".

0 Karma

lguinn2
Legend

I don't think you can put multiple s commands in a single line, but you could re-write your regular expression like this:

SEDCMD-win_dns = s/\(\d+\)(\S+)\(\d+\)(\S+)\(\d+\)(\S+)\(\0\)/\1.\2.\3/g

This finds the whole pattern and replaces it all at once. I think it is safer than looking for it piecemeal, which might match things you didn't intend. A lot of the \ are to escape the () which have special meaning in regexes.

0 Karma

wbfoxii
Communicator

Thanks. I actually did have the backslash characters in my original post, but they didn't get past the rendering.

The pattern does not necessarily have only three levels. Local addresses commonly have five, and some have only one, so the regex needs to be more accommodating. That's why the two commands in one line would be attractive.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...