Dear All,
I'm trying to retrieve and parse windows dns log, the sample looks like this:
1/23/2020 11:59:42 PM 0B50 PACKET 000001F5A879FCD0 UDP Snd 10.231.150.89 b40e R Q [8081 DR NOERROR] A (3)www(15)msftconnecttest(3)com(0)
After installed plunk Add-on for Microsoft Windows DNS , it can automatically extract filed query = (3)www(15)msftconnecttest(3)com(0). But the query name looks very strange, the real name should be www.msftconnecttest.com
.
So my question is , how to parse or transform the query name into correct format. maybe need to write some regular expression
or something, but i'm not good at it.
Not tested, but you could try:
|eval fixedDNS = replace(badDns, "\(\d+\)","\.")
Where badDNS is the field that contains "(3)www(15)msftconnecttest(3)com(0)"
Not tested, but you could try:
|eval fixedDNS = replace(badDns, "\(\d+\)","\.")
Where badDNS is the field that contains "(3)www(15)msftconnecttest(3)com(0)"