Grok match an fqdn


I am a newbie for grok and patterns. I have been trying to grok parse an fqdn entry which has variable length - multiple dots (.) and uses dashes (-) and underscore (__) for the hostnames. The DNS entries could something like (Note it has an extra dot at the end as this came from a DNS request)

what is trying to get is the last 2 entries, so that I can extract say for these entries

(in some cases I need 3 for domains)

Here, I cannot use the WORD pattern as some characters are not included. This match works for the when I tested to get the first entry only.
match => ["dns_query", "(?[A-Za-z0-9_-]+)"]

When I tried expanding it, I cannot get it to work with this when expanded
match => ["dns_query", "(?[A-Za-z0-9_-]+).(?[A-Za-z0-9_-]+).(?[A-Za-z0-9_-]+).(?[A-Za-z0-9_-]+).(?[A-Za-z0-9_-]+)"]
match => ["dns_query", "(?[A-Za-z0-9_-]+).(?[A-Za-z0-9_-]+).(?[A-Za-z0-9_-]+).(?[A-Za-z0-9_-]+)"]
match => ["dns_query", "(?[A-Za-z0-9_-]+).(?[A-Za-z0-9_-]+).(?[A-Za-z0-9_-]+)"]
match => ["dns_query", "(?[A-Za-z0-9_-]+).(?[A-Za-z0-9_-]+)"]

As it only used the first match statement.

Any advise what I am doing it wrong?


Perhaps something like this to capture the two last domain name components except for domains where you capture the three last?


Thanks Magnus,

I tried this in the grok match statement

match => ["dns_query", "\.(?\<domain\>[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+)$"]

and I got a [0] "_grokparsefailure"

 "dns_query" => "",
      "tags" => [
[0] "_grokparsefailure"

Any ideas?

Don't escape the angle brackets.

I forgot that you have a period at the end of the input domain which I didn't take into account in my suggestion.