Sure. These are bro DNS logs, so they are tab delimited (I'll do comma below).
1511991992.963051,CE0oKO1yiHQLlxOB5g,10.10.10.10,47041,10.20.20.20,53,udp,13336,internal-srv.ewade.internal,C_INTERNET,1,A,0,NOERROR,T,F
1511991994.963051,CE0oKO1yweQLlxOB5g,10.10.10.10,47041,10.20.20.20,53,udp,13336,maliciouswebsite.g.mail.com,C_INTERNET,1,A,0,NOERROR,T,F
internal-srv.ewade.internal is the "A" record that we want to filter out, while maliciouswebsite.g.mail.com is the one we want to pass to Splunk. A RegEx would suffice, but I'm not sure where to do this or the syntax. "blacklist" under inputs.conf seems to only refer to filenames.
... View more