Is it possible to match domain names when using parser expression pattern？

tasselsd · October 14, 2022, 8:39am

one line raw log is (multiline):

12:18:03.220396 IP 192.168.236.21.49851 > 192.168.0.6.443: Flags [P.], seq 750523337:750523854, ack 944158970, win 2064, options [nop,nop,TS val 2748450207 ecr 2209508457], length 517
E..9..@.@..P............,...8F......B......
......li..................@......Ma..A..'.p.....e.V ...^..%..B...}V..k..0..Zk.zp...............,.+...0./...
.       ........

...........t4.mycompany.com..........
...
.......................h2.http/1.1..........................................3.+.)........ ..D.;.M.....f....F...3..$......b.-.....+...JJ....................................................................................................................................................................................................................................

logql like this:

{job="tcpdump", app="https"} | pattern "<time> IP <src> > <dst>: <_> <domain(domname)> <_>" | line_format "{{.time}} {{.src}} accessed {{.domname}}, {{.dst}}"

expect output log:

12:18:03.220396 192.168.236.21.49851 accessed t4.mycompany.com, 192.168.0.6.443

Or any suggested way? if not supported.

system · October 14, 2023, 8:40am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.