Query Fields
Overview
The query fields describe a name resolution operation performed to obtain resource information associated with a provided name. They represent protocol-agnostic properties of lookup activity that translate names into records, addresses, or related data. The entity defines a normalized structure that captures the essential attributes of resolution behavior independent of transport mechanisms or protocol-specific encodings.
Design and Usage
The query entity models the conceptual characteristics of a lookup request and its corresponding result. It applies to DNS and other name resolution systems that follow a request and response pattern for retrieving resource information. The fields describe the requested name, the category and type of data being sought, the returned values, and the outcome of the resolution process. The model supports consistent interpretation of lookup events even when different protocols implement these semantics differently.
Common Use Cases
- Monitoring lookup activity to support threat detection and network forensics
- Correlating resolution outcomes with application behavior and connection attempts
- Investigating lookup failures, misconfigurations, or anomalous query patterns
Implementation Notes
As a top-level entity, query defines the complete object representing a single name resolution operation. It should be modeled independently of protocol-specific formats, while remaining compatible with standards such as DNS where applicable. Numeric identifiers and result values may align with DNS conventions, but normalization should reflect conceptual meaning rather than protocol encoding. If additional lookup mechanisms are introduced in the future, corresponding fields should be extended in a manner that maintains clarity and preserves the abstract representation of name resolution activity.
| field | field_type | description | example_values |
|---|---|---|---|
|
query_class |
keyword |
Represents the namespace or category associated with the resolution request as defined by the applicable naming system. |
IN |
|
query_record_type |
keyword |
Identifies the type of resource information requested during the lookup operation. |
A, AAAA, MX, SRV |
|
query_record_type_code |
keyword |
Numeric identifier representing the resource record type requested by the lookup. |
1, 3, 5 |
|
query_request |
keyword |
Name submitted for resolution during the lookup operation. |
www.graylog.org |
|
query_request_length |
long |
Number of characters contained in the name submitted for resolution. |
25 |
|
query_response |
keyword |
Returned resource information associated with the resolved name. |
93.184.216.34 |
|
query_response_length |
long |
Number of characters contained in the returned resolution data. |
25 |
|
query_result |
keyword |
Indicates the outcome of the lookup operation. |
NXDOMAIN, NOERROR |
|
query_result_code |
keyword |
Numeric identifier representing the outcome of the lookup, aligned with standard resolution result codes. |
0, 3 |
