Grok query domain from DNS server log

tatdat · July 12, 2017, 7:42am

Hi,

I'm using Elastic Stack V5.5 and using logstahs for parse log from DNS server log. Something like that

(6)mobile(4)pipe(4)aria(9)microsoft(3)com(0)
(7)outlook(6)office(3)com(0)
(5)nexus(10)officeapps(4)live(3)com(0)

Now i want parse query domain to friendly domain like

mobile.pipe.aria.microsoft.com
outlook.office.com
nexus.officeapps.live.com

How can do it?

Thanks so much!

magnusbaeck · July 12, 2017, 2:59pm

How about using a mutate filter and its gsub option to replace $\d+$ with a period?

tatdat · July 12, 2017, 3:25pm

Thank for your suggestion. It's worked, but i got string after used gsub

.mobile.pipe.aria.microsoft.com.

How to remove first and last dot (.) in string ?

magnusbaeck · July 12, 2017, 3:33pm

How to remove first and last dot (.) in string ?

Use gsub to replace ^\. and \.$ with empty strings.

tatdat · July 12, 2017, 3:35pm

Thanks you so much!

My problem is solved!

Is config looklike that ?

filter {
  mutate {
    gsub => [     
      "domain", "\(\d+\)", ".",
      "domain", "^\.", "",
      "domain", "\.$", ""
    ]
  }
}

system · August 9, 2017, 3:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Replace substring and concat rest Logstash	3	577	July 16, 2020
Formatting Windows DNS logs Beats filebeat	5	4994	July 5, 2017
Microsoft DNS - parsing different length of domain name Logstash	5	254	August 2, 2021
How to split DNS request and retrive the domain Logstash	2	766	September 14, 2017
Replace Domain Logstash	5	1305	July 6, 2017