Hello!
I have logs from dns, i need prepare it to Machine Learning in url
https://www.elastic.co/products/stack/machine-learning/recipes/dns-data-exfiltration-tunneling
Have a field: "my.support.base.net"
How to modify the field to "my.support.BASE.NET" and "MY.SUPPORT.base.net" in logstash filters or ruby ?
You can split that into domain and subdomain using
grok { match => { "myHost" => "%{GREEDYDATA:subdomain}\.(?<domain>[0-9A-Za-z][0-9A-Za-z-]{0,62}\.[0-9A-Za-z][0-9A-Za-z-]{0,62})$" } }
1 Like
Thx a lot!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.