Discect rule with a "+" sign in the message, can't escape it

I have the following disect rule: %{timestamp} queries: info: client @%{dns_client} %{source_ip}#%{source_port} (%{query}): query: %{query_2} IN %{class} + (%{dns_server}), which is from a BIND DNS server (querylog).

Which splits the querylogs into these fields:

  "docs": [
      "doc": {
        "_index": "index",
        "_id": "id",
        "_version": "-3",
        "_source": {
          "dns_client": "0x80",
          "@timestamp": "2023-07-18T13:12:50.570+02:00",
          "source_port": "37651",
          "query": "nodename",
          "query_2": "nodename",
          "dns_server": "x.x.x.x",
          "message": "18-Jul-2023 13:12:50.570 queries: info: client @0x80 x.x.x.x#37651 (tcn11-xcc): query: nodename IN AAAA + (x.x.x.x)",
          "class": "AAAA +",
          "source_number": "37651",
          "source_ip": "x.x.x.x"
        "_ingest": {
          "timestamp": "2023-07-18T11:12:43.590896651Z"

I don't get why "class": "AAAA +" includes the "+". Can someone point me to my mistake?

Do you also have a few samples from the log lines that you're processing? It will make debug easier.

1 Like

Thanks for your reply! I found the issue already, there was another ingest pipeline that split the lines the wrong way. This caused the confusion.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.