Hello,
I would like to modify format of MS DNS debug logs in order to get rid of some unimportant strings within domain names. I was playing with SEDCMD stanza in props.conf but not with success.
Log format as extracted by Splunk add-on for Microsoft DNS:
1. 2. 2017 20:19:22 0D80 PACKET 0000002548D040A0 UDP Rcv 10.17.81.32 7be7 Q [0001 D NOERROR] A **(5)h42-m(3)sec(3)lab(0)**
The problem is with (5)h42-m(3)sec(3)lab(0)"
I need to get events to look as follows:
2017 20:19:22 0D80 PACKET 0000002548D040A0 UDP Rcv 10.17.81.32 7be7 Q [0001 D NOERROR] A **h42-m.sec.lab**
When I implemented this ...
SEDCMD-remove_parens_num = s/((\d))/./g
SEDCMD-remove_first_period = s/^(.)//g
SEDCMD-remove_last_period = s/(.)$//g
... I stopped seeing my DNS logs in GUI permanently after the restart of Splunk. I do not understand. Any idea?
Tomas
↧