11[INGEST:vendor="infoblox", product="infoblox", target_dataset="infoblox_infoblox_raw", no_hit=keep]
22/*
3- This filter applies to DNS Queries & Responses events, which contain an internal timestamp within the syslog message.
4- It supports timestamp ingestion for the following timestamp format: <dd-mmm-YYYY HH:MM:SS.uuu>.
5- For example: "18-Jan-2024 13:03:44.821".
6- The timestamp is interpreted in a GMT+0 timezone.
7- See https://docs.infoblox.com/space/nios85/35816694/Capturing+DNS+Queries+and+Responses for additional details.
8- */
9- filter _raw_log ~= "\d{2}\-\w{3}\-\d{4}\s+\d{2}:\d{2}:\d{2}\.\d{3}"
10- | alter tmp_timestamp_string = arrayindex(regextract(_raw_log, "\d{2}\-\w{3}\-\d{4}\s+\d{2}:\d{2}:\d{2}\.\d{3}"), 0)
11- | alter _time = parse_timestamp("%d-%b-%Y %H:%M:%E3S", tmp_timestamp_string)
12- | fields - tmp_timestamp_string; // Remove the temporary utility field
3+ This parsing rule normalizes timestamps from Infoblox logs that may include one of three
4+ supported timestamp formats, extracted into the following variables:
135
14- /*
15- This filter applies to syslog messages that are sent to Cortex XSIAM from Infoblox directly (Excluding DNS Queries & Responses events),
16- as opposed to event logs which are downloaded to a file and sent to Cortex XSIAM indirectly via an intermediate syslog client.
17- It supports timestamp ingestion in the following formats <Mmm dd hh:mm:ss>
18- where Mmm is the English language abbreviation for the month of the year with the first character in uppercase and the other two
19- characters in lowercase, and dd is the day of the month, where if the day of the month is less
20- than 10, then it MUST be represented as a space and then the number, as in the RFC 3164 timestamp format.
21- For example: "Jan 9 21:30:48" or "Jan 18 21:30:48".
22- The timestamp is interpreted in a GMT+0 timezone, and the year is derived from current year.
23- */
24- filter // Exclude DNS Queries & Responses events timestamp format
25- _raw_log !~= "\d{2}\-\w{3}\-\d{4}\s+\d{2}:\d{2}:\d{2}\.\d{3}" and _raw_log ~= "\<\d+\>\w{3}\s+\d{1,2}\s+\d{2}\:\d{2}\:\d{2}\s+"
26- | alter // Extract current year and raw timestamp
27- tmp_current_year = to_string(format_timestamp("%Y",current_time())),
28- tmp_raw_timestamp_string = arrayindex(regextract( _raw_log, "\<\d+\>(\w{3}\s+\d{1,2}\s+\d{2}\:\d{2}\:\d{2})\s+"), 0)
29- | alter // Reformat the raw timestamp representation with current year
30- tmp_current_year_timestamp_string = concat(tmp_current_year, " ", tmp_raw_timestamp_string)
31- | alter // Convert the timestamp string representation to datetime format
32- tmp_current_year_timestamp_datetime = parse_timestamp("%Y %b %e %H:%M:%S", tmp_current_year_timestamp_string)
33- | alter // Check if the calculated date is in the future (due to year transitioning during log ingestion )
34- tmp_time_difference = timestamp_diff(tmp_current_year_timestamp_datetime, current_time(), "MILLISECOND")
35- | alter // Calculate previous year if necessary
36- tmp_previous_year = if(tmp_time_difference > 0, to_string(subtract(to_integer(tmp_current_year), 1)), null)
37- | alter // Adjust timestamp to previous year if required
38- tmp_previous_year_timestamp_string = if(tmp_previous_year != null, concat(tmp_previous_year, " ", tmp_raw_timestamp_string), null)
39- | alter // Converts the previous year string representation to datetime format
40- tmp_previous_year_timestamp_datetime = if(tmp_previous_year_timestamp_string != null, parse_timestamp("%Y %b %e %H:%M:%S", tmp_previous_year_timestamp_string), null)
41- | alter // Set to the relevant timestamp
42- _time = coalesce(tmp_previous_year_timestamp_datetime, tmp_current_year_timestamp_datetime)
43- | fields - tmp*; // Remove all temporary util fields
6+ 1) tmp_dns_timestamp
7+ • Applies to DNS Queries & Responses events that contain an internal timestamp
8+ within the syslog message payload.
9+ • Format: <dd-Mmm-YYYY HH:MM:SS.uuu>
10+ Example: "18-Jan-2024 13:03:44.821"
11+ • Timezone: Interpreted as GMT+0 (UTC).
12+ • Reference: https://docs.infoblox.com/space/nios85/35816694/Capturing+DNS+Queries+and+Responses
4413
45- /*
46- This filter applies to other syslog messages that are sent to Cortex XSIAM indirectly via an intermediate syslog client,
47- which is compatible with RFC5424. For example if the logs from Infoblox are downloaded to a file,
48- and an intermediate syslog process then reads these records and forwards them to Cortex XSIAM.
49- It Supports RFC 5424 compatible timestamps format, which include a seconds fraction precision.
50- For example: "2023-10-29T11:18:59.123Z", or "2023-10-29T11:18:59.123456-06:00".
51- The timezone is extracted from the RFC5424 timestamp.
14+ 2) tmp_direct_timestamp
15+ • Applies to syslog messages sent directly from Infoblox (excluding DNS Q/R).
16+ • Format: <Mmm dd hh:mm:ss> — RFC 3164 style (no year, no timezone).
17+ Examples: "Jan 9 21:30:48", "Jan 18 21:30:48"
18+ • Timezone: Interpreted as GMT+0 (UTC).
19+ • Year: Derived from the current year.
20+
21+ 3) tmp_syslog_timestamp
22+ • Applies to syslog messages sent indirectly via an intermediate syslog client
23+ that uses RFC 5424-compatible formatting.
24+ • Formats:
25+ "YYYY-MM-DDThh:mm:ss.sssZ"
26+ "YYYY-MM-DDThh:mm:ss.ssssss±HH:MM"
27+ Examples: "2023-10-29T11:18:59.123Z", "2023-10-29T11:18:59.123456-06:00"
28+ • Timezone: Extracted directly from the timestamp (Z normalized to +00:00).
29+
30+ The parser selects the most appropriate timestamp in this order of precedence:
31+ 1) DNS (application event time)
32+ 2) RFC 5424 (header time with timezone)
33+ 3) Direct Infoblox (RFC 3164 style, derived year)
5234*/
53- filter // Exclude DNS Queries & Responses events timestamp format and Infoblox syslog messages timestamp format
54- _raw_log ~= "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d+([+-]\d{2}:\d{2}|Z)" and _raw_log !~= "\d{2}\-\w{3}\-\d{4}\s+\d{2}:\d{2}:\d{2}\.\d{3}" and _raw_log !~= "\<\d+\>\w{3}\s+\d{1,2}\s+\d{2}\:\d{2}\:\d{2}\s+"
55- | alter tmp_raw_timestamp = arrayindex(regextract(_raw_log, "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\S+"), 0)
56- | alter tmp_timestamp = replace(to_string(tmp_raw_timestamp), "Z", "+00:00") // normalize zulu time timezone to a numeric offset
57- | alter tmp_precision = arrayindex(regextract(tmp_timestamp, "\.(\d{1,6})"), 0)
58- | alter tmp_precision_length = len(tmp_precision)
59- | alter tmp_time = if( // adjust parsing format according to the precision length
60- tmp_precision_length = 1, parse_timestamp("%FT%H:%M:%E1S%Ez", tmp_timestamp),
61- tmp_precision_length = 2, parse_timestamp("%FT%H:%M:%E2S%Ez", tmp_timestamp),
62- tmp_precision_length = 3, parse_timestamp("%FT%H:%M:%E3S%Ez", tmp_timestamp),
63- tmp_precision_length = 6, parse_timestamp("%FT%H:%M:%E6S%Ez", tmp_timestamp))
64- | alter _time = tmp_time
35+ filter _raw_log ~= "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d+([+-]\d{2}:\d{2}|Z)" or _raw_log ~= "\d{2}\-\w{3}\-\d{4}\s+\d{2}:\d{2}:\d{2}\.\d{3}" or _raw_log ~= "\<\d+\>\w{3}\s+\d{1,2}\s+\d{2}\:\d{2}\:\d{2}\s+"
36+ | alter tmp_current_year = to_string(format_timestamp("%Y",current_time()))
37+ | alter tmp_dns_timestamp = arrayindex(regextract(_raw_log, "\d{2}\-\w{3}\-\d{4}\s+\d{2}:\d{2}:\d{2}\.\d{3}"), 0),
38+ tmp_direct_timestamp = concat(tmp_current_year, " ", arrayindex(regextract( _raw_log, "\<\d+\>(\w{3}\s+\d{1,2}\s+\d{2}\:\d{2}\:\d{2})\s+"), 0)),
39+ tmp_syslog_timestamp = replace(arrayindex(regextract(_raw_log, "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\S+"), 0), "Z", "+00:00") // normalize zulu time timezone to a numeric offset
40+ | alter _time = if(tmp_dns_timestamp != null and tmp_dns_timestamp != "", parse_timestamp("%d-%b-%Y %H:%M:%E*S", tmp_dns_timestamp) , tmp_syslog_timestamp!= null and tmp_syslog_timestamp != "",parse_timestamp("%FT%H:%M:%E*S%Ez", tmp_syslog_timestamp), tmp_direct_timestamp != null and tmp_direct_timestamp != "", parse_timestamp("%Y %b %e %H:%M:%S", tmp_direct_timestamp))
6541| fields - tmp*; // Remove all temporary util fields
0 commit comments