All,
We have Windows and Linux BIND DNS servers logging into one index in Splunk. Because of the way Windows logs domain names in DNS requests we are doing a search time extraction. If I want to search both types of DNS logs for any lookups for www.splunk.com we do a search this way:
index=dnslogs win_query="www.splunk.com" bind_query="www.splunk.com"
It works but is very inefficient because of the search time extraction on win_query. What I would like to do is create a new index and populate it with the unique values from each of those fields daily, deduping between fields of course. I have been researching and am not certain that a summary index is what I want. We basically want to search months worth of DNS logs to see if a domain shows up or not. At that point we dont need the actual log event, just that it exists or not. Is it possible to take unique values from 2 different fields and populate a new index with those values? Other suggestions?