We have the DNS debug logs coming onto the indexer.
Now each events will have an alpha-numeric pattern for 'domain name' in below fashion
(1)abc(2)def(3)ghif(4)
Now i want the highlighted data to be altered to a different format
I have used the below SEDCMD in props.conf but is does not seem to alter it as required
SEDCMD-win_dns = s/\(\d+\)/./g
Expectation: abc.def.ghif
Reality: .abc.def.ghif.
so it basically replaces all the '(digits)' with '.' But i want the extreme-placed integers to be converted to white space character
Is that possible?
Try this
SEDCMD-win_dns = s/(\(\d\))(\w+)(\(\d\))(\w+)(\(\d\))(\w+)(\(\d\))/\2\.\4\.\6/g
Hi,
It does not seem to work!
Will it be possible for you to explain in short what logic you are using for this ?
Regards
Sayanta B
Okay so I seem to have got the logic, strange its not working. maybe we can fix that.
Bu there is a different catch.
Every time the doamin name may not be the given format
(1)abc(2)def(3)ghif(4)
It cane be any of below 2 as well
(1)abc(2)def(3)
(1)abc(2)def(3)ghif(4)xyz(5)
Any thoughts on that
In that case, try three SEDCMD
SEDCMD-remove_parens_num = s/((\d))/./g
SEDCMD-remove_first_period = s/^(.)//g
SEDCMD-remove_last_period = s/(.)$//g
I have the same issue with MS Active Directory DNS server log format. Does not work. No change at all. I am desperate.
Ask in a separate/new question and I'd be happy to help you
I need to solve the same issue as in this threat - regardin MS DNS log format.
I have events like this:
1. 2. 2017 20:19:22 0D80 PACKET 0000002548D040A0 UDP Rcv 10.17.81.32 7be7 Q [0001 D NOERROR] A (5)h42-m(3)sec(3)lab(0)
The problem is with "(5)h42-m(3)sec(3)lab(0)"
I need to get events to look like this:
When I implemented your suggestion in props.conf
SEDCMD-remove_parens_num = s/((\d))/./g
SEDCMD-remove_first_period = s/^(.)//g
SEDCMD-remove_last_period = s/(.)$//g
I stopped seeing my DNS logs in GUI permanently after restart of Splunk. I do not understand. If I removed your proposal, it's back again with wrong format.
Any idea?
Tomas
I solved your question.. Go post a new question with a description and I will post your answer