How to compare field from one stream with other?

blason · January 15, 2019, 6:09pm

Hi team,

Here is my query about comparing one field from one stream with other. I am collecting logs from packetbeat port 53 from Windows based DNS server and its being stored in one stream also I am collecting logs from DNS sinkhole which has forwarder set from DNS.

So the flow would be on -

Users desktop we have Windows based DNS set;
Which has packetbeat running and capturing packets on port 53 [say network-stream]
Then we have forwarder set for DNS Sinkhole server
Which are again getting ingested in Graylog in other stream [say dns-stream]
Now I wanted to have one more stream configured for below scenario and would really appreciate if someone can help me on this?

User ABC [ip 10.10.10.10] --> xyz.com --> Windows DNS —> DNS Sinkhole
As soon as DNS Sinkhole DNS query is flagged’ wanted the same query to be checked from Windows stream and if found should highlight IP address.

Thanks and Regards,
Blason R

jan · January 16, 2019, 6:44am

check for the slookup plugin - that might help you with this.

system · January 30, 2019, 6:44am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How do I achieve my below requirement with graylog? Graylog Central (peer support) pipeline-rules	2	273	February 1, 2022
Can someone please help me on this extractors and dashboards? Graylog Central (peer support)	8	1543	August 15, 2017
Sending DNS Logs to GrayLog Graylog Central (peer support)	11	1199	January 5, 2023
List every device that is sending logs to ip Graylog Central (peer support)	3	1659	May 21, 2018
Unable to plot a data table for below query and not sure why? Graylog Central (peer support)	9	539	March 8, 2022

How to compare field from one stream with other?

Related Topics