Hi everybody.
An update of this: ussing this rule, I obtained all the results (ip addresses, which is what I need, but additionally TTLs):
rule “Regla Pipeline - Windows DNS Server - SilkService - Lookup DNS QNAME - MultiIP”
when
has_field(“QNAME”) AND NOT contains(to_string($message.QNAME), “empresa.com”)
then
let multiIPs = lookup(“DNS_QNAME_IP”, to_string($message.QNAME));
set_field(“QNAME_IPs_Prueba”, multiIPs.results);
end
With this, I Obtain:
The problem is that I only need to obtain the ip addresses values. I tried to use in the rule:
- set_field(“QNAME_IPs_Prueba”, multiIPs.results.ip_address);
- set_field(“QNAME_IPs_Prueba”, multiIPs.results.ip_address);
The first option Graylog not allow me to use it, the second one give me no results.
I’m thing I’m near, so any help is appreciated.
Thanks in advance.
Regards,
Alejandro