I just want to short explain the use case (and maybe hopefully increasing the incentive)
I would like to perform passive DNS lookups.
pDNS has proven to be a valuable tool within the security community.
Having the data structured will help greatly in achieving that.
Currently the data is kinda structured when I compare the _raw Event, when i compare it with the dig response
name{} contains the left column
host_type{} contains the middle column
hostname{} contains the hostnames of the right column
host_addr{} contains the right column
each of the list is sorted from top down. But since the results/right column are split into two lists it is quite a pain in the ass to wiggle it out.
Based on these assumptions I managed to mvzip the data together
index="esm-url-monitor-stream" | rename "hostname{}" as hostname, "host_addr{}" as host_addr, "host_type{}" as host_type, "name{}" as name | eval a=mvzip(name,host_type) | eval b=mvzip(name,host_type) | eval a=mvfilter(match(a,"address")) | eval b=mvfilter(!match(b,"address")) | eval a=mvzip(a,host_addr) | eval b=mvzip(b,hostname)
This produces a (IP result list) and b (hostname list) as comma separated string containing the response.
These can now probably again taken apart and then further processed and later presented in a proper way.
But I am not sure if this might still work for DNS requests having multiple requests or DNSSEC etc
