CSV content:
timestamp,view,zone_name,zone_format,signed,grid_primary,ms_primary,rr_a,......rr_other,rr_total,hosts,rr_lbdn,rr_dhcid,rr_unknown
2018-01-12 00:00:00,default.MS_2016,shekhar.com,Forward-Mapping,No,,10.102.31.216,1,0,2,0,0,0,1,0,0,0,0,1,0,0,1,1,0,1,0,8,0,0,0,|hinfo=10|cert=20|loc=30|abc=67|
2018-01-12 00:00:00,default.MS_2016,zone.com,Forward-Mapping,No,,,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,|caa=89|cname=90|aaaa=100|
In the above CSV entries, the last column("rr_unknown"), could contain the key value pairs.
this column needs to be further parsed and each entry of that parsing entry needs to be displayed as a separate column in the table.
Example: The table display should look as follows,
Timestamp Zone 'A Record' 'AAAA Record' .. .. .. .. .. 'DHCID Record' 'CAA Record' 'CNAME Record' 'AAAA Record'
2018-01-12 00:00:00 zone.com 0 0 .. .. .. .. .. 0 89 90 100
The query that I am currently using is as follows,
sourcetype=ib:dns:zone index=ib_ipam (view="") | msservers ms_primary | dedup view,zone_name | noop | rename view as View, zone_name as Zone, zone_format as Function, signed as Signed, hosts as Hosts, rr_total as "Total Records", rr_a as "A Records", rr_aaaa as "AAAA Records", rr_cname as "CNAME Records", rr_dhcid as "DHCID Records", rr_dname as "DNAME Records", rr_dnskey as "DNSKEY Records", rr_ds as "DS Records", rr_mx as "MX Records", rr_naptr as "NAPTR Records", rr_nsec as "NSEC Records", rr_nsec3param as "NSEC3PARAM Records", rr_nsec3 as "NSEC3 Records", rr_ns as "NS Records", rr_ptr as "PTR Records", rr_rrsig as "RRSIG Records", rr_soa as "SOA Records", rr_srv as "SRV Records", rr_tlsa as "TLSA Records", rr_txt as "TXT Records", rr_other as "Other Records", rr_lbdn as "LBDN" | eval Timestamp = strftime(_time, "%Y-%m-%d %H:%M:%S %Z") | table Timestamp, Zone, Function, Signed, Hosts, "LBDN", "Total Records", "A Records", "AAAA Records", "CNAME Records", "DHCID Records", "DNAME Records", "DNSKEY Records", "DS Records", "MX Records", "NAPTR Records", "NSEC Records", "NSEC3PARAM Records", "NSEC3 Records", "NS Records", "PTR Records", "RRSIG Records", "SOA Records", "SRV Records", "TLSA Records", "TXT Records", "Other Records"
This query needs to be enhanced to accommodate the new column "rr_unknown" and display the values under this column as individual columns.
... View more