Hello,
I am a newbie for grok and patterns. I have been trying to grok parse an fqdn entry which has variable length - multiple dots (.) and uses dashes (-) and underscore (__) for the hostnames. The DNS entries could something like (Note it has an extra dot at the end as this came from a DNS request)
us-courier.push-apple.com.akadns.net.
p14-ckdatabase-current.edge.icloud.apple-dns.net.
ynuf.alibaba.com.gds.alibabadns.com.
googlehosted.googleusercontent.com.
what is trying to get is the last 2 entries, so that I can extract say for these entries
akadns.net
apple-dns.net
alibabadns.com
googleusercontent.com
(in some cases I need 3 for gov.uk domains)
Here, I cannot use the WORD pattern as some characters are not included. This match works for the when I tested to get the first entry only.
match => ["dns_query", "(?[A-Za-z0-9_-]+)"]
When I tried expanding it, I cannot get it to work with this when expanded
match => ["dns_query", "(?[A-Za-z0-9_-]+).(?[A-Za-z0-9_-]+).(?[A-Za-z0-9_-]+).(?[A-Za-z0-9_-]+).(?[A-Za-z0-9_-]+)"]
match => ["dns_query", "(?[A-Za-z0-9_-]+).(?[A-Za-z0-9_-]+).(?[A-Za-z0-9_-]+).(?[A-Za-z0-9_-]+)"]
match => ["dns_query", "(?[A-Za-z0-9_-]+).(?[A-Za-z0-9_-]+).(?[A-Za-z0-9_-]+)"]
match => ["dns_query", "(?[A-Za-z0-9_-]+).(?[A-Za-z0-9_-]+)"]
As it only used the first match statement.
Any advise what I am doing it wrong?
Thanks!