I am new to Sentinel so please take it easy on me.

I have Sentinel collecting my named (BIND9) DNS logs, which are
unparsed. I am trying to do a search using regular expressions. For
example let's say I want to find out how many queries for
www.nytimes.com my DNS server handled. I am searching with the
following string:

sev:[0 TO 5] AND "named" AND "" AND "www.nytimes.com" NOT
st:"I" NOT st:"A" NOT st:"P"

This works perfect, but I noticed that some people are using nytimes.com
and not www.nytimes.com. To clean my search string (instead of putting
both www and non www domains) I wanted to use a regular expression,
similar to:

sev:[0 TO 5] AND "named" AND "" AND ".*nytimes.*" NOT st:"I"
NOT st:"A" NOT st:"P"

But that doesn't seem to work. So my question is simple:

1) Is it possible to use regular expressions in the search field?

2) If so, what flavor of regex should I be using? (I am used to bash
regular expressions, but can learn Java regex if I have to)

As a side note, I have to use the IP address of my DNS server instead of
the name. Is there a way to have sentinel do reverse lookups so the
name can be used?

Thanks in advance.

savona's Profile: https://forums.netiq.com/member.php?userid=7706
View this thread: https://forums.netiq.com/showthread.php?t=51306