Windows DNS normalise FQDN

Hi there,

im sending my DNS logs into graylog and that is working as expected. What would be the best way to convert the below:

(3)www(8)linkedin(3)com(0)" so that it appears in a new field with for example.

Would it be a pipeline rule and if so what sort of syntax would i be looking for? i need to be able to normalise these as im also receiving DNS queries from another source so need to be able to correlate them easily enough


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.