search: index=msad | makemv src_domain | mvexpand src_domain | eval newfield=ltrim(replace(src_domain, "([\d]+)", "."),".") | eval newfield=rtrim(newfield,".")
The bold query below is an another example. When I look in the "newfield" field, the value is just "client" not "client-office365-tas.msedge.net
4/6/2018 2:03:24 PM 0C38 PACKET 000002C8F8BC4520 UDP Snd 192.168.115.33 afad R Q [8081 DR NOERROR] A (20)client-office365-tas(6)msedge(3)net(0)
UDP response info at 000002C8F8BC4520
Socket = 716
Remote addr 192.168.115.33, port 54724
Time Query=607061, Queued=0, Expire=0
Buf length = 0x0200 (512)
Msg length = 0x00a0 (160)
Message:
XID 0xafad
Flags 0x8180
QR 1 (RESPONSE)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 1
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 3
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(20)client-office365-tas(6)msedge(3)net(0)"
... View more