src_ip and src_port does not extract in transforms.conf after 5.2.x Pihole update
Closed this issue · 2 comments
Pihole changed the logging format so some of the extractions do not work.
I did a manual field extraction in Splunk and it works there.
I added the following RegEx to transforms.conf:
[pihole_src_src_port]
#OG REGEX = dnsmasq\[[^\]]*\]\:\s\S+\s([^\/]*)\/(\S+)\s
REGEX = from (\d+\.\d+\.\d+\.\d+)
FORMAT = src_ip::$1 src_port::$2
Here is a sample of data and regex that seems to work:
https://regex101.com/r/vSBWp1/1
I did use Default Extract from the other Issue: #14 as my base
My current Pihole setup is on Ubuntu Server 18.04 with a Splunk HF (v8.0.5) sending to a standalone Splunk server running v8.1.0.1. I have updated both TA's accordingly and restarted both Splunk instances to commit custom changes.
Pasting same comment for each related issue:
Please check if log-queries=extra in /etc/dnsmasq.d/01-pihole.conf. If not, this could be the root cause of the issue. Anytime Pi-hole updates, it overwrites this file with updates. So if you have set this setting in the past, it would be erased during an update.
To fix, add log-queries=extra in /etc/dnsmasq.d/01-pihole.conf or follow the instructions at the top of the file and create a new file in the same directory with this change. Note: creating your own file to override this setting may cause issues during an update. removing the file and then re-adding it after the update will fix the issue.
Make sure to run pihole restardns after updating settings so the changes take affect.
changed back to log-queries=extra worked.
Closing