Discect rule with a "+" sign in the message, can't escape it

UPPERCASE · July 18, 2023, 11:15am

I have the following disect rule: %{timestamp} queries: info: client @%{dns_client} %{source_ip}#%{source_port} (%{query}): query: %{query_2} IN %{class} + (%{dns_server}), which is from a BIND DNS server (querylog).

Which splits the querylogs into these fields:

{
  "docs": [
    {
      "doc": {
        "_index": "index",
        "_id": "id",
        "_version": "-3",
        "_source": {
          "dns_client": "0x80",
          "@timestamp": "2023-07-18T13:12:50.570+02:00",
          "source_port": "37651",
          "query": "nodename",
          "query_2": "nodename",
          "dns_server": "x.x.x.x",
          "message": "18-Jul-2023 13:12:50.570 queries: info: client @0x80 x.x.x.x#37651 (tcn11-xcc): query: nodename IN AAAA + (x.x.x.x)",
          "class": "AAAA +",
          "source_number": "37651",
          "source_ip": "x.x.x.x"
        },
        "_ingest": {
          "timestamp": "2023-07-18T11:12:43.590896651Z"
        }
      }
    }
  ]
}

I don't get why "class": "AAAA +" includes the "+". Can someone point me to my mistake?

Marius_Dragomir · July 18, 2023, 2:10pm

Do you also have a few samples from the log lines that you're processing? It will make debug easier.

UPPERCASE · July 19, 2023, 8:36am

Thanks for your reply! I found the issue already, there was another ingest pipeline that split the lines the wrong way. This caused the confusion.

system · August 16, 2023, 8:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.