Good morning, I'm pretty newbie about ELK.
I'm trying to use ELK to analyze DNS query log.
I would like to add a field created splitting another field.
I have a field like this:
"query" => "clients1.google.com.",
I want to generate a new one like "domain" => "google.com"
How can we do it?
Do you always want to extract the two last labels in the DNS name? What about clients1.google.co.uk?
I did not thought about this kind of problem.
How can I extract 3 fields?
Do you have any other suggestion to aggregate this kind of data?
How can I extract 3 fields?
Same way as you'd extract two fields, but how would you know whether to extract two or three?
Anyway, you can use a grok filter to extract parts of strings.
This exact question has come up here in the past. Perhaps you can find it in the archives?
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.