Field Extraction to two Fields

(Pwe123345) #1


I have a query like this:

named[17627]: 15-May-2018 15:57:33.135 queries: info: client <IP-ADRESS>#65281: query: IN A +

The GROK Pattern is like this:

%{DATA:UNWANTED} client %{IPV4:Client_Address}\#%{DATA:UNWANTED} query\: %{URIHOST:URI_Host} %{WORD:DNS_Direction} %{WORD:DNS_type}

Now I want to convert the part

... ....

to two fields:


Is this even possible?

kind regards

(Jochen) #2

Sure. You can either create a custom Grok pattern or process the result (“URI_Host”) accordingly.

(Pwe123345) #3

That sounds great.

Can you point me in the correct direction? Im not sure how to transform one string to two substrings with the grok pattern.

To build the correct pattern should be no problem.

kind regards

(Jochen) #4

The following regular expression would work:


For example, the result in the “domain” group when matched against would contain and when matched against it would contain

(Pwe123345) #5

Hi Jochen,

that looks great, thanks.

In the GROK Patterns, I just adjusted




But the data still gets filled to the “domain” field.

kind regards

(Jochen) #6

That’s why I provided a regular expression and a link to the regex() function.

