how can I turn one log event into multiple messages
I am parsing DNS logs (windows debug logs) where there may be multiple answers to one query (cname plus IP, or multiple cnames, or multiple IPs) but I want to normalize the output so that each output line contains one and only one answer (with the rest of the output being the same)
so if I start with
source 1.1.1.1 query type A query foo.com answer cname bar.com answer A 2.2.2.2
how can I get my output to be:
source 1.1.1.1 query type A query foo.com answer cname bar.com source 1.1.1.1 query type A query foo.com answer A 2.2.2.2
Davin,
Unfortunately that feature does not exist. The only option I can think of is using file_write() to create a second file to be parsed later.