When looking at the search time extractions being done by the Infoblox TA, it seems like the src and dest fields are a little bit mixed up. What I would expect to see as the src (in the example event, the client making the request) shows up as the dest and vice versa.
The transforms.conf included in the app seems to be doing the wrong thing, where it assigns dest as the server_ip if the message is a response. If I'm thinking about network flow, the response is coming from the server, and so should be the src, not the dest. In the case where the message type is not a response, the TA returns the dest as the dns_request_client_ip, which feels like it should instead be the src.
As a bit of a side note, the CIM wording on this feels somewhat ambiguous:
dest: The destination of the network resolution event
src: The source of the network resolution event
So based on that definition I could also see either being correct.
Example event:
<30>Mar 2 20:46:36 infobloxhostname 10.160.10.12 named[30577]: client 10.156.27.56#58392 (debug.opendns.com): query: debug.opendns.com IN TXT +E (10.160.10.12)
src = 10.160.10.12
dest = 10.156.27.56
transforms.conf:
EVAL-dest = if(match(message_type,"response"),server_ip,if(command == "dhcp_updater_default", infoblox_ip, dns_request_client_ip))
EVAL-src = coalesce(src_req,src_resp,src_ip)
... View more