I'm currently useing filter-dns to perform rdns queries on a given field.
Config looks as follows:
dns {
reverse => [ "clientip" ]
action => "append"
}
if ( "" in [clientip][1] and [clientip][1] != '1' ) {
mutate {
add_field => [ "rdnsname", "%{[clientip][1]}" ]
replace => [ "clientip", "%{[clientip][0]}" ]
}
} else if ( "" in [clientip][1] and [clientip][1] == '1' ) {
mutate {
add_field => [ "rdnsname", "NXDOMAIN" ]
}
}
the above works fine if rdns lookup only returns one result.
Does anyone know how the result looks like if the rdns lookup returns more than one name?
Will they be added like
[clientip][1]
[clientip][2]
[clientip][3]
or will they be added as
[clientip][1][1]
[clientip][1][2]
[clientip][1][3]
?
The other question would be: is it possible to join an array to string, BUT WITHOUT the first element?