Splunk Search

Matching A vs AAAA rex help

dondky
Path Finder

All,

I'm stuck on a regex issue. Not sure how I can match A records vs AAAA records within windows dns logs. I came up with the following:

sourcetype=windns* | rex "NOERROR]\s(?(?:A|PTR|SRV|TXT|AAAA))\s" | table record_type

However, my AAAA records don't return, I'm thinking this is because the A is matched and the match stops there. How would one match A and AAAA records?

Here is a sample data set:

20131021 12:24:06 1190 PACKET 05D2B130 UDP Rcv 192.168.x.x e31f Q [0001 D NOERROR] A test.example.com
20131021 12:24:06 1190 PACKET 1D4EE140 UDP Rcv 192.168.x.x 3d6d Q [0001 D NOERROR] AAAA test.example.com

Any pointers or assistance would be helpful.

Thanks

Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Why be so specific? Just take everything between "NOERROR]" and the DNS name as the record type.

| rex "NOERROR]\s(?<record_type>.*?)\s" |

If you only want to see specific record types, use a where clause after the rex.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

dondky
Path Finder

Might be answering my own question but I think I found a solution with the following:

sourcetype=windns* | rex "NOERROR]\s(?<record_type>(?:A|PTR|SRV|TXT|\bAAAA\b))\s" | table record_type. Still open to how others would solve this though.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Why be so specific? Just take everything between "NOERROR]" and the DNS name as the record type.

| rex "NOERROR]\s(?<record_type>.*?)\s" |

If you only want to see specific record types, use a where clause after the rex.

---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

Please accept this answer if it solves your problem.

---
If this reply helps you, Karma would be appreciated.
0 Karma

dondky
Path Finder

Wow, this is much better I tried .* route but never added the ? hence I went the specific route. Thanks for pointing this out.

0 Karma
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...