Hi TonyLeeVT,
Agreeed that some of these extractions aren't doing exactly what's intended. Internally we're working on some updates however don't have a time frame just yet.
First the message_type needed some rework.
EVAL-message_type = if(match(_raw,"Response:|response:"),"Response",if(match(_raw,"query:\s(\S+)\s(\w+)\s(\S+)\s((?:\+|\-)\S*)\s\((\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\)"),"Query","unknown"))
Then split the request and response regex.
[dns_request]
REGEX = client\s(?<dns_request_client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?<dns_request_client_port>\d+).*\squery:\s(?<dns_request_queried_domain>\S+)\s(?<dns_request_class_name>\w+)\s(?<dns_request_type_name>\w+)\s(?<dns_request_setDC>(?:\+|\-)\S*)\s\((?<dns_request_name_serverIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})\)
[dns_response]
REGEX = \S+\s+(?<server_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\snamed\[(?<pid>\d+)\]\:\s(?<log_date>\S+)\s(?<log_time>\S+)\sclient\s(?<dns_response_client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?<dns_response_client_port>\d+)?[\D]*\s(?<dns_response_protocol>\w+):\squery:\s(?<dns_response_queried_domain>\S+)\s(?<dns_response_class_name>\w+)\s(?<dns_response_type_name>\w+)\sresponse:\s(?<dns_response_rcode>\w+)\s(?<dns_response_flags>\S+)\s?(?<dns_response_RR_in_TEXT>[\S+\s+]*)?
And to deal with the multiple records within the response we can split out again
[dns_incepted]
REGEX=(?<dns_record>[^;]+)
SOURCE_KEY=dns_response_RR_in_TEXT
MV_ADD=true
[dns_records_extract]
REGEX = (?<dns_answer_name>\S+)\s(?<dns_answer_ttl>\d+)\s(?<dns_class>\S+)\s(?<dns_type>\S+)\s(?<dns_rdata>\S+)
SOURCE_KEY = dns_record
MV_ADD=true
Hope this helps for now, however with all the changes it may be better to wait for the update.
Don
... View more