Windows DNS normalise FQDN

(ict) #1

Hi there,

im sending my DNS logs into graylog and that is working as expected. What would be the best way to convert the below:

(3)www(8)linkedin(3)com(0)" so that it appears in a new field with for example.

Would it be a pipeline rule and if so what sort of syntax would i be looking for? i need to be able to normalise these as im also receiving DNS queries from another source so need to be able to correlate them easily enough


(system) #2

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.