Field Extraction to two Fields


I have a query like this:

named[17627]: 15-May-2018 15:57:33.135 queries: info: client <IP-ADRESS>#65281: query: IN A +

The GROK Pattern is like this:

%{DATA:UNWANTED} client %{IPV4:Client_Address}\#%{DATA:UNWANTED} query\: %{URIHOST:URI_Host} %{WORD:DNS_Direction} %{WORD:DNS_type}

Now I want to convert the part

... ....

to two fields:


Is this even possible?

kind regards

Sure. You can either create a custom Grok pattern or process the result (“URI_Host”) accordingly.

That sounds great.

Can you point me in the correct direction? Im not sure how to transform one string to two substrings with the grok pattern.

To build the correct pattern should be no problem.

kind regards

The following regular expression would work:


For example, the result in the “domain” group when matched against would contain and when matched against it would contain


Hi Jochen,

that looks great, thanks.

In the GROK Patterns, I just adjusted




But the data still gets filled to the “domain” field.

kind regards

That’s why I provided a regular expression and a link to the regex() function.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.