Hi all,
I am currently working on getting some DNS logs into Elastic via Logstash.
Grokking the logs with the HOSTNAME pattern works for most hosts. However, there are some hostnames or DNS entries that actually starts with or contains underscores for example:
_http._tcp.security.ubuntu.com
I had a quick search for the issue and found the following, closed, feature request: LOGSTASH-2198 added '_' to grok hostname pattern by mihaiplesa · Pull Request #107 · logstash-plugins/logstash-patterns-core · GitHub
In that one I found the following suggested pattern:
HOSTNAME \b(?:[0-9A-Za-z_][0-9A-Za-z_-]{0,62})(?:.(?:[0-9A-Za-z_][0-9A-Za-z_-]{0,62}))*(.?|\b)
When I tried it with that one I ran into a large number of Grok Timeout errors and had to remove it again.
Since I'm new to the world of Grok I was wondering if there are any less 'expensive' pattern that could be used or if I maybe applied it in a less than efficient way?
Any feedback is appreciated.