5/24/2023 0 Comments Parse dns logGot me a little further, but I still can't isolate the domains or the IPs that are part of the ANSWER section so they create a multi-value field. Using the suggested configuration at the bottom of: So I tried index=test_dns | makemv delim="/r", AnswersĪnd index=test_dns | makemv delim="/n", Answers So in my search, I tested the following: index=test_dns | makemv delim="/n/r", Answers REGEX = (?m) Name\s (?. )\W. \W. \W. \W. \W. DATAĪnd now I'm trying to build my nf so I'm testing what my regex should be using the following search. Testing regex using a site like gets me the following regex syntax that catches all instances of the fields that I want.ĭATA\s ?(. )\n = (?i) (?P\d \.\d \.\d \.\d )ĮXTRACT-Threat_ID,Context,Int_packet_ID,proto,mode,Xid,type,Opcode,Flags_Hex,char_code,ResponseCode,question_type =. The Question field should have three values: The Answer field should have the following values: 108.177.98.104 I have regex that will parse the first line no problem, but everything after that is a PIA.įrom the Answer section, tokenized, each name in one field and each data in another field. Any idea how to parse the full Windows DNS Trace Log events?
0 Comments
Leave a Reply. |