Skip to content

Commit

Permalink
fix issue parsing dns.ip
Browse files Browse the repository at this point in the history
  • Loading branch information
@mmguero
mmguero committed Nov 1, 2023
1 parent 4be0d17 commit fd69cad
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion logstash/pipelines/zeek/12_zeek_mutate.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -410,7 +410,7 @@ filter {
ruby {
id => "ruby_zeek_dns_answers_ip_extract"
# todo: adjust this regex so it at least sort of catches IPv6 as well
code => "event.set('[@metadata][answers_ip]', event.get('[zeek][dns][answers]').scan(/\d+\.\d+\.\d+\.\d+/).join(','))"
code => "event.set('[@metadata][answers_ip]', event.get('[zeek][dns][answers]').scan(/\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/).join(','))"
}
mutate { id => "mutate_split_zeek_dns_answers"
split => { "[zeek][dns][answers]" => "," } }
Expand Down

0 comments on commit fd69cad

Please sign in to comment.