Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

REGEX to find one-level DNS requests for filtering in transforms

wbfoxii
Communicator
‎03-19-2014 05:33 AM

I'm trying to write a regex to match DNS names with only one level in Windows debug logs. I don't want to index those, since they're all internal hosts.

Here are some samples:



3/19/2014 1:18:39 PM 05A4 PACKET  00000000039E3AE0 UDP Rcv aaa.bbb.ccc.ddd  0c45   Q [0001   D   NOERROR] TXT    ._nfsv4idmapdomain.

3/19/2014 1:18:37 PM 05A4 PACKET  0000000003CDA2C0 UDP Rcv aaa.bbb.ccc.ddd  eb60   Q [0001   D   NOERROR] A      .gishpcs3.

transforms.conf statement looks like this (I'm filtering other things as well - the FIRST match is in question)


REGEX = (\s\.[A-Za-z0-9_-]+\.\s|\.ip6\.arpa|IN-ADDR|in-addr\.arpa|\sSnd\s)

So, annoyingly, this matches in a regex test site I found (http://www.regexr.com/) but the records are still being indexed. Anyone got a clue about why this doesn't filter?

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-22-2014 02:15 AM

The regex you posted in the question and the regex in the transforms.conf stanza are different - make sure you're using the most up-to-date one in the transforms.

Looking at the transforms.conf expression, I'm guessing you're missing a backslash at char 8, unless you're really looking for a literal s rather than a whitespace. Changing that makes the regex match your events. Before/after:

(^[^\d]|s\.[A-Za-z0-9_-]+\.\s*$|IN-ADDR|in-addr|\sSnd\s|\sR\sQ\s|\.ip6\.arpa|NXDOMAIN|windowsupdate\.com)
(^[^\d]|\s\.[A-Za-z0-9_-]+\.\s*$|IN-ADDR|in-addr|\sSnd\s|\sR\sQ\s|\.ip6\.arpa|NXDOMAIN|windowsupdate\.com)
0 Karma
Reply

wbfoxii
Communicator
‎03-24-2014 02:05 PM

That backslash is in the regex. It's a hassle to add regex to this discussion because you have to escape the backslash character and I missed that one.

0 Karma
Reply

wbfoxii
Communicator
‎03-21-2014 11:44 AM

Full props.conf stanza:



[windns_query]

SEDCMD-win_dns = s/\(\d+\)/./g

EXTRACT-src_ip-fqdn-win = Rcv\s(?[^\s]+).+\]\s(?P[^\s]+)\s+\.(?P[^\s]+)\.$

TRANSFORMS-windns = windnsnull

Full transforms.conf


[windnsnull]

REGEX = (^[^\d]|\s\.[A-Za-z0-9_-]+\.\s*$|IN-ADDR|in-addr|\sSnd\s|\sR\sQ\s|\.ip6\.arpa|NXDOMAIN|windowsupdate\.com)

DEST_KEY = queue

FORMAT = nullQueue

full inputs.conf



[monitor://c:\Windows\System32\dns\dns.log]

sourcetype=windns_query

index=myIndex

SHOULD_LINEMERGE = false

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-21-2014 08:08 AM

Do post the full configuration regarding these events, from their stanza in inputs.conf to props.conf to transforms.conf.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...