Converting PTR records to IP in logstash


(Sarfaraz Ahmad) #1

Hi ,

I am working with DNS query logs and I want the PTR record to change to the IP address.
From : 4.3.2.1.in-addr.arpa to 1.2.3.4

I am trying to use ruby filter and add this information as a new field to the event object.
This is what my config looks like. The code section of ruby filter.

           if !event.get('queryType').include? 'PTR'
                event['ip'] = event.get('queryName').match(/((?:[0-9]{0,3}.){4}?).*in/)[1].chomp(".").split(".").reverse.join(".")
           end

But logstash fails to startup . How do i debug this ?


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.