All Apps and Add-ons

DNS_Type regexp not working

nexellent
Explorer

I am trying to use the Splunk for DNS App. Most of the saved searches work based on a regexp which searches for a "DNS_Type"-field. I guess it's trying to match the type of log-message (client query, xfer, etc.) to something meaningful.

For me this regexp does not match appropriately and thus renders this App almost useless. Anyone else tried to use this app to any successful extent?

I am definatly not a regexp-pro and thus unable to fix this issue on my own. 😞

From what I guess the regexp is trying to strip off the beginning of the log-line up to the first word which is followed by a colon whereas this word is then considered the "DNS_Type". A few examples in my case would be general, database, resolver, security.

A typical bunch of log-lines would look like this:

Aug 13 19:06:57 server.domain.net Aug 13 19:06:57 server 13-Aug-2013 19:06:57.696 queries: info: client 123.123.123.123#34786: view this_view: query: some.domain.tld IN A +

Aug 13 18:38:07 server.domain.net Aug 13 18:38:07 server 13-Aug-2013 18:38:06.927 update-security: error: client 123.123.123.123#61322: view that_view: update '123.123.123.IN-ADDR.ARPA/IN' denied

Aug 13 19:02:02 server2.domain.net Aug 13 19:02:02 named[81975]: 13-Aug-2013 19:02:02.727 security: info: client 41.218.82.208#60393: view that_view: query (cache) 'some.domain.tld/A/IN' denied

Aug 13 19:02:02 server2.domain.net Aug 13 19:02:02 named[81975]: 13-Aug-2013 19:02:02.532 resolver: debug 1: createfetch: 123.123.123.123.in-addr.arpa PTR

Aug 13 18:57:59 server2.domain.net Aug 13 18:57:59 named[81975]: 13-Aug-2013 18:57:59.963 xfer-in: info: transfer of 'domain.tld/IN/this_view' from 123.123.123.123#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)

Any help to fix that regexp would be appreciated.

0 Karma
1 Solution

starcher
SplunkTrust
SplunkTrust

This seems to work
(?:\d{2}:\d{2}:\d{2}.\d{3}\s)(?P[^:]+)

View solution in original post

Defensive-ISS
New Member

Your sample log entries doesn’t contain named in the prefix for query or update. ALL log transaction from the DNS server MUST be prefixed with BIND-DNS, otherwise the application will not work.

0 Karma

starcher
SplunkTrust
SplunkTrust

This seems to work
(?:\d{2}:\d{2}:\d{2}.\d{3}\s)(?P[^:]+)

nexellent
Explorer

that seems to be working. will see how it integrates into the app. thank you!

0 Karma

starcher
SplunkTrust
SplunkTrust

Oh I see what happened. The forum system removed the back slashes. Put them in front of the d's, the period, the s and the colons. I pasted it again below but with double slashes this time to see if it posts it properly.
(?:\d{2}\:\d{2}\:\d{2}\.\d{3}\s)(?P[^\:]+)

nexellent
Explorer

I tried to run this against my logs. Not one single match unfortuneatly.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...