DNS Filter - only first value in reverse array works

Elastic Stack Logstash
1

This is my filter:

filter {
        if [type] == "netflow" {

        mutate {
                add_field => {
                        "[netflow][ipv4_dst_host]" => "%{[netflow][ipv4_dst_addr]}"
                        "[netflow][ipv4_src_host]" => "%{[netflow][ipv4_src_addr]}"
                        }
                }
        dns {
                # DNS Filter
                nameserver => [ "172.18.65.20", "172.18.65.30" ]
                action => "replace"
                reverse => [ "[netflow][ipv4_dst_host]", "[netflow][ipv4_src_host]" ]
                }
        }
}

Only [netflow][ipv4_dst_host] is filled with correct value.

Reverse lookups ipv4_src_host does never work.

Have I written some syntax wrong?

2

What version are you on?

3

I am on version 5.1.

Why does the plugin have an array, if it only can reverse one string?

Should I just enter two filters instead?

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.