Reply

DNS Recursive Cache Size

[ Edited ]
Expert
Posts: 181
4326     1

We have been watching the recursive cache size of our members using ibgraph and some custom parsing of the syslog messages.  This has allowed us to catch some ongoing issues with run away cache sizes before they became an issue.  I was hoping to move this functionality over the the reporter.

I parse the line below to both graph and alert on the size field.

May 16 04:38:18 x.x.x.x named[17051]: Recursion cache view "_default": size = 946008734, hits = 132684972, misses = 249997777

 


Moving this to the reporter member, I've gotten this far:
It appears that this source (/infoblox/var/reporting/cache-hits-misses.txt) in the reporting member also parses the line syslog line but only grabs the hits and misses per member and view.

The fields, view, hits, and misses are extracted with this REGEX in the field extractor,

^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}(\s\S+)?\s2\s(?P<VIEW>[^ ]+)\s(?P<HITS>\d+)\s(?P<MISSES>\d+)$

But at that regex it looks like the actual syslog line has already been partially parsed and doesn't have the needed size value any more.  (I think, maybe)

How to I get that source to also grab the size or create a new source that looks at that syslog line and does the parsing I need?

I can't find anything in the Infoblox admin guide related to this.  When I dig into the Splunk documentation, many of the menu options are missing or grayed out when I try and replicate it in Infoblox.

 

 Is this even possable to do?


I have a simular issue with the DHCP deferred DDNS updates.   A spike in these defered updates ususally points us to a problem with the GSS-TSIG process.

May 16 06:59:57 x.x.x.x dhcpd[19806]: Processed 3 deferred DNS updates: 0 successes, 3 deferred again, 0 abandoned (0 unexpired, 0 disabled, not processed)

Re: DNS Recursive Cache Size

[ Edited ]
Adviser
Posts: 82
4327     1

It is possible since NIOS 7.3.200 to redirect syslog to reporting to have the original syslog data

 

1) Enable Syslog redirection & syslog index in reporting properties

Capture d’écran 2016-06-21 à 22.37.53.png

eg

May 16 04:38:18 x.x.x.x named[17051]: Recursion cache view "_default": size = 946008734, hits = 132684972, misses = 249997777

 

then splunk automatic field extraction extracts size, hits & misses field

 

 

2) Statistics

index=ib_syslog "Recursion cache view" | table _time,size,hits,misses

 

 

Capture d’écran 2016-06-21 à 22.43.41.png

 

 

3) Graphing

Capture d’écran 2016-06-21 à 22.45.09.png

same solution applies for your DDNS report

Check out our new Tech docs website at http://docs.infobox.com for latest documentation on Infoblox products.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You