Microsoft DNS - parsing different length of domain name

gmaimbourg · June 30, 2021, 8:48am

Hello,

I'am working on Microsoft DNS log parsing and i don't know how can i parse different lengh of domain name.
Here is different examples of what i want to get :
(2)ui(12)powerreviews(3)com(0) into ui.powerreviews.com
(6)watson(9)telemetry(9)microsoft(3)com(0) into watson.telemetry.microsoft.com

As you can see those two ones are 3 and 4 fields long and sometimes i get some 10 fields long domain name and i want my logstash being able to parse every length of domain name.

Thanks.

Gaston Maimbourg,
cybersecurity apprentice for CD54

Badger · June 30, 2021, 4:27pm

It is unclear what result you want.

Iker · June 30, 2021, 5:22pm

I have seen that kind of logs, @Badger, he is trying to convert a field with value "(2)ui(12)powerreviews(3)com(0)" into " ui.powerreviews.com"; @gmaimbourg use gsub with a pattern that matches the "(number)" and replace all the ocurrences with dots.

Badger · June 30, 2021, 5:26pm

As Iker says, use mutate+gsub

mutate { gsub => [ "someField", "\(\d+\)", "." ] }

gmaimbourg · July 5, 2021, 11:45am

Thank you, it works

system · August 2, 2021, 11:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.