We use filebeat to import a DNS log from our windows servers and there is a field for the DNS request name and it is coming up as this “(3)dns(8)msftncsi(3)com(0)” would there be a way to remove the (number) from the string so that it looks like “dns.msftncsi.com”? Currently using Graylog 3.3.1
Thank you for any assistance.
use regex_replace() in a pipeline.
https://docs.graylog.org/en/latest/pages/pipelines/functions.html#regex-replace
Should be easy to pick out (#) and set it to replace with a period
Something like this could work:
regex_replace("\([0-9]{1}\)", to_string($message.dns_field), ".", true);
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
