Hello Experts,
I've below logstream data which indeed a DNS query data where i have a literal dot after view external: query: which usually referred to be an IP address or a domain address but here its coming as dot for some cases which is been presented as null whereas i want this to be stored into a variable which later can be seen as a literal dot . in the Kibana dashboard.
30-Jul-2019 22:35:19.766 queries: info: client 192.6.11.5#44401: view external: query: . IN A + (192.140.1.6) <-- this the log which has dot
31-Jul-2019 22:30:03.278 queries: info: client 192.6.11.5#42899: view external: query: api.zhuti.intl.xiaomi.com IN A +ED (192.140.1.6) <-- this is usual log stream
Below is the grok i'm using to parse the above log, indeed i'm looking for the gork which can work for both the pattern of logs.
%{MONTHDAY:day}-%{MONTH:month}-%{YEAR:year} %{TIME:time} queries: info: client %{IPV4:internal_dns}#%{INT:srcport}:%{DATA}:%{SPACE}%{WORD}:%{SPACE}(?:%{HOSTNAME:Client_Address}|(.*)) %{DATA:querytpe1} %{DATA:querytype2} %{DATA:querytype3} %{SPACE}\(%{IPV4:external_dns}\)
Please Suggest.
Thanks for the help in Advanced,