Grokking DNS entries/hostnames with underscores - less expensive pattern?

Hi all,

I am currently working on getting some DNS logs into Elastic via Logstash.

Grokking the logs with the HOSTNAME pattern works for most hosts. However, there are some hostnames or DNS entries that actually starts with or contains underscores for example:

_http._tcp.security.ubuntu.com

I had a quick search for the issue and found the following, closed, feature request: https://github.com/logstash-plugins/logstash-patterns-core/pull/107#issuecomment-219770878

In that one I found the following suggested pattern:

HOSTNAME \b(?:[0-9A-Za-z_][0-9A-Za-z_-]{0,62})(?:.(?:[0-9A-Za-z_][0-9A-Za-z_-]{0,62}))*(.?|\b)

When I tried it with that one I ran into a large number of Grok Timeout errors and had to remove it again.

Since I'm new to the world of Grok I was wondering if there are any less 'expensive' pattern that could be used or if I maybe applied it in a less than efficient way?

Any feedback is appreciated.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.