Microsoft DNS - parsing different length of domain name

gmaimbourg · June 30, 2021, 8:48am

Hello,

I'am working on Microsoft DNS log parsing and i don't know how can i parse different lengh of domain name.
Here is different examples of what i want to get :
(2)ui(12)powerreviews(3)com(0) into ui.powerreviews.com
(6)watson(9)telemetry(9)microsoft(3)com(0) into watson.telemetry.microsoft.com

As you can see those two ones are 3 and 4 fields long and sometimes i get some 10 fields long domain name and i want my logstash being able to parse every length of domain name.

Thanks.

Gaston Maimbourg,
cybersecurity apprentice for CD54

Badger · June 30, 2021, 4:27pm

It is unclear what result you want.

Iker · June 30, 2021, 5:22pm

I have seen that kind of logs, @Badger, he is trying to convert a field with value "(2)ui(12)powerreviews(3)com(0)" into " ui.powerreviews.com"; @gmaimbourg use gsub with a pattern that matches the "(number)" and replace all the ocurrences with dots.

Badger · June 30, 2021, 5:26pm

As Iker says, use mutate+gsub

mutate { gsub => [ "someField", "\(\d+\)", "." ] }

gmaimbourg · July 5, 2021, 11:45am

Thank you, it works

Topic		Replies	Views
Grok query domain from DNS server log Logstash	5	1423	August 9, 2017
Formatting Windows DNS logs Beats filebeat	5	5129	July 5, 2017
Parsing DNS Logs from GCP Cloud Logstash	2	621	February 10, 2020
How to parse DNS log Logstash	1	859	July 26, 2017
Parsing of field which have dynamic number of subfield Logstash	4	535	June 24, 2019

Microsoft DNS - parsing different length of domain name

Related topics