Hi,

It does not seem to work!
Will it be possible for you to explain in short what logic you are using for this ?

Regards
Sayanta B

Okay so I seem to have got the logic, strange its not working. maybe we can fix that.
Bu there is a different catch.

Every time the doamin name may not be the given format
(1)abc(2)def(3)ghif(4)

It cane be any of below 2 as well

(1)abc(2)def(3)
(1)abc(2)def(3)ghif(4)xyz(5)

Any thoughts on that

In that case, try three SEDCMD

SEDCMD-remove_parens_num = s/((\d))/./g
SEDCMD-remove_first_period = s/^(.)//g
SEDCMD-remove_last_period = s/(.)$//g

I have the same issue with MS Active Directory DNS server log format. Does not work. No change at all. I am desperate.

Ask in a separate/new question and I'd be happy to help you

I need to solve the same issue as in this threat - regardin MS DNS log format.

I have events like this:
1. 2. 2017 20:19:22 0D80 PACKET 0000002548D040A0 UDP Rcv 10.17.81.32 7be7 Q [0001 D NOERROR] A (5)h42-m(3)sec(3)lab(0)

The problem is with "(5)h42-m(3)sec(3)lab(0)"

I need to get events to look like this:

1. 2. 2017 20:19:22 0D80 PACKET 0000002548D040A0 UDP Rcv 10.17.81.32 7be7 Q [0001 D NOERROR] A h42-m.sec.lab

When I implemented your suggestion in props.conf
SEDCMD-remove_parens_num = s/((\d))/./g
SEDCMD-remove_first_period = s/^(.)//g
SEDCMD-remove_last_period = s/(.)$//g

I stopped seeing my DNS logs in GUI permanently after restart of Splunk. I do not understand. If I removed your proposal, it's back again with wrong format.

Any idea?

Tomas

I solved your question.. Go post a new question with a description and I will post your answer