Filter DNS events by domain


We have a lot of internal DNS queries, and I wonder if there is a way to filter the DNS events in Suricata eve.json file.

For instance, I don’t see in the doc any filtering option, based for instance on the DNS domain.

Thanks for your help.


cat (or tail) /var/log/suricata/eve.json | grep -i [domain]?

Or use something like ELK / Splunk for further querying?