DNS Answers in ODS feed to Splunk

Our security team would like to export the DNS Requests and DNS Response data to Splunk for some SIEM funcitons that they’re using. I’ve been able to provide all information they’ve requested except the IP that is answered on the Response. I’ve tried all different configurations of code to get Answers to write out to just a text string and am failing horribly (i’m not a developer in any sense). Has anyone encountered this situation and succeeded?

Example context of code
" eh_event=DNSResponse" +
" client_ip=" + Flow.client.ipaddr +
" server_ip=" + Flow.server.ipaddr +
" server_name=" + (Flow.server.device.dnsNames || Flow.server.device.dhcpName || Flow.server.device.netbiosName || Flow.server.device.cdpName || “undefined”) +
" client_name=" + (Flow.client.device.dnsNames || Flow.client.device.dhcpName || Flow.client.device.netbiosName || Flow.client.device.cdpName || “undefined”) +
" HostQuery=" + DNS.qname +
" Response L2bytes=" + DNS.rspL2Bytes +
" OpCode=" + DNS.opcode +
" Process_Time=" + DNS.processingTime +
" DNS_Answer=" + DNS.answers.toString


Because DNS.answers is an array, JavaScript doesn’t innately know what string representation is appropriate for it. Replacing DNS.answers.toString with JSON.stringify(DNS.answers) will give you a JSON string containing the answers.

This worked like a charm. Thank you!!