We are trying to do field extraction of the aws dns events, currently we are getting the events with below indexname, source and sourcetype
index = aws-cloudtrail source = us-east-1:/aws/route53/ins.company.com:Z7ZW0F4AW5AIB/IAH50-C3 sourcetype = aws:cloudwatch
I have created props and transforms as separate app for field extraction but it is not working
cat props.conf - for some reason * is not showing in this editor Its (source::**asterisk**/aws/route53/**asterisk**/**asterisk**)
[source::*/aws/route53/*/*]
REPORT-fields = AWS_DNS_route53
cat transforms.conf
[AWS_DNS_route53]
DELIMS = " "
FIELDS = "version","query_timestamp","hosted_zoneid","queryname","querytype","response_code","protocol","edge_location","ip_address","subnet"
_RAW
1.0 2020-01-07T13:13:00Z Z7ZW0F4AW5AIB ins.company.com AAAA NOERROR UDP KJS50-C3 2001:1890:1ff:8c7:124:10:98:184 -
↧