Skip to content

Instantly share code, notes, and snippets.

@iamhowardtheduck

iamhowardtheduck/Pi-Hole_ECS_Pipeline

Last active December 2, 2019 18:29
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save iamhowardtheduck/6681fff6eceb838c4616bc7ceecac4cb to your computer and use it in GitHub Desktop.
Save iamhowardtheduck/6681fff6eceb838c4616bc7ceecac4cb to your computer and use it in GitHub Desktop.
Download ZIP
Pi-Hole ECS Elastic Ingest Node Pipeline
Raw
Pi-Hole_ECS_Pipeline
PUT /_ingest/pipeline/pi-hole
{
"description" : "Pi-Hole Parser",
"version" : 1,
"processors" : [
{
"grok" : {
"field" : "message",
"patterns" : [
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>query)\\[(?<dns.question.type>A)\\] %{NOTSPACE:dns.question.name} (?<dns.question.class>from) %{IP:client.ip}",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>query)\\[(?<dns.question.type>AAAA)\\] %{NOTSPACE:dns.question.name} (?<dns.question.class>from) %{IP:client.ip}",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>query)\\[(?<dns.question.type>PTR)\\] %{NOTSPACE:dns.question.name} (?<dns.question.class>from) %{IP:client.ip}",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>query)\\[(?<dns.question.type>TXT)\\] %{HOSTNAME:dns.question.domain} (?<dns.question.class>from) %{IP:client.ip}",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>query)\\[(?<dns.question.type>TXT)\\] %{NOTSPACE:dns.question.name} (?<dns.question.class>from) %{IP:client.ip}",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>query)\\[(?<dns.question.type>SOA)\\] %{HOSTNAME:dns.question.domain} (?<dns.question.class>from) %{IP:client.ip}",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>query)\\[(?<dns.question.type>MX)\\] %{NOTSPACE:dns.question.name} (?<dns.question.class>from) %{IP:client.ip}",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>query)\\[(?<dns.question.type>NS)\\] %{NOTSPACE:dns.question.name} (?<dns.question.class>from) %{IP:client.ip}",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>reply) %{NOTSPACE:dns.question.name} (?<dns.question.class>is)\\s+%{NOTSPACE:dns.answers.name}",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>reply) %{NOTSPACE:dns.question.name} (?<dns.question.class>is) \\<%{NOTSPACE:dns.answers.name}\\>",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>reply) %{NOTSPACE:dns.question.name} (?<dns.question.class>is)",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>forwarded) %{NOTSPACE:dns.question.address} (?<dns.question.class>to) %{IP:server.ip}",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>cached) %{IP:dns.question.ip} (?<dns.question.class>is) %{IPORHOST:server.domain}",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>cached) %{IP:dns.question.ip} (?<dns.question.class>is) %{NOTSPACE:dns.answers.name}",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>cached) %{HOSTNAME:dns.question.domain} (?<dns.question.class>is) %{NOTSPACE:dns.answers.name}",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>cached) %{NOTSPACE:dns.question.name} (?<dns.question.class>is) %{NOTSPACE:dns.answers.name}",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>cached) %{NOTSPACE:dns.question.name} (?<dns.question.class>is)",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.message>\\/etc\\/pihole\\/\\S+) %{NOTSPACE:dns.question.name} (?<dns.question.class>is) %{NOTSPACE:dns.answers.name}",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>reply) %{NOTSPACE:dns.question.name} %{WORD:dns.answers.class}[\\s+| \\S+ ]+%{WORD:network.type}:((?<dns.answer.cidr.1>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.1}) [~|-]all",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>reply) %{NOTSPACE:dns.question.name} %{WORD:dns.answers.class}[\\s+| \\S+ ]+%{WORD:network.type}:((?<dns.answer.cidr.1>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.1})\\s%{WORD:network.type}:((?<dns.answer.cidr.2>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.2}) [~|-]all",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>reply) %{NOTSPACE:dns.question.name} %{WORD:dns.answers.class}[\\s+| \\S+ ]+%{WORD:network.type}:((?<dns.answer.cidr.1>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.1})\\s%{WORD:network.type}:((?<dns.answer.cidr.2>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.2})\\s%{WORD:network.type}:((?<dns.answer.cidr.3>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.3}) [~|-]all",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>reply) %{NOTSPACE:dns.question.name} %{WORD:dns.answers.class}[\\s+| \\S+ ]+%{WORD:network.type}:((?<dns.answer.cidr.1>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.1})\\s%{WORD:network.type}:((?<dns.answer.cidr.2>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.2})\\s%{WORD:network.type}:((?<dns.answer.cidr.3>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.3})\\s+%{WORD:network.type}:((?<dns.answer.cidr.4>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.4}) [~|-]all",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>reply) %{NOTSPACE:dns.question.name} %{WORD:dns.answers.class}[\\s+| \\S+ ]+%{WORD:network.type}:((?<dns.answer.cidr.1>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.1})\\s%{WORD:network.type}:((?<dns.answer.cidr.2>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.2})\\s%{WORD:network.type}:((?<dns.answer.cidr.3>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.3})\\s+%{WORD:network.type}:((?<dns.answer.cidr.4>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.4})\\s%{WORD:network.type}:((?<dns.answer.cidr.5>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.5}) [~|-]all",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>reply) %{NOTSPACE:dns.question.name} %{WORD:dns.answers.class}[\\s+| \\S+ ]+%{WORD:network.type}:((?<dns.answer.cidr.1>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.1})\\s%{WORD:network.type}:((?<dns.answer.cidr.2>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.2})\\s%{WORD:network.type}:((?<dns.answer.cidr.3>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.3})\\s+%{WORD:network.type}:((?<dns.answer.cidr.4>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.4})\\s%{WORD:network.type}:((?<dns.answer.cidr.5>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.5})\\s%{WORD:network.type}:((?<dns.answer.cidr.6>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.6}) [~|-]all",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>reply) %{NOTSPACE:dns.question.name} %{WORD:dns.answers.class}[\\s+| \\S+ ]+%{WORD:network.type}:((?<dns.answer.cidr.1>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.1})\\s%{WORD:network.type}:((?<dns.answer.cidr.2>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.2})\\s%{WORD:network.type}:((?<dns.answer.cidr.3>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.3})\\s+%{WORD:network.type}:((?<dns.answer.cidr.4>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.4})\\s%{WORD:network.type}:((?<dns.answer.cidr.5>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.5})\\s%{WORD:network.type}:((?<dns.answer.cidr.6>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.6})\\s+%{WORD:network.type}:((?<dns.answer.cidr.7>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.7}) [~|-]all",
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG:Prog}: (?<dns.type>reply) %{NOTSPACE:dns.question.name} %{WORD:dns.answers.class}[\\s+| \\S+ ]+%{WORD:network.type}:((?<dns.answer.cidr.1>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.1})\\s%{WORD:network.type}:((?<dns.answer.cidr.2>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.2})\\s%{WORD:network.type}:((?<dns.answer.cidr.3>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.3})\\s+%{WORD:network.type}:((?<dns.answer.cidr.4>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.4})\\s%{WORD:network.type}:((?<dns.answer.cidr.5>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.5})\\s%{WORD:network.type}:((?<dns.answer.cidr.6>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.6})\\s+%{WORD:network.type}:((?<dns.answer.cidr.7>\\d+[.]\\d+[.]\\d+[.]\\d+\\/\\d+)|%{IP:dns.answer.ip.7}) [~|-]all"],
"on_failure":[{"set":{"field":"tags","value" : "Parsing Error"}}]}},
{"date":{"field":"timestamp","timezone":"America/New_York","formats":["MMM dd HH:mm:ss","MMM d HH:mm:ss"],"on_failure" : [
{"set":{"field":"tags","value":"Date Error - \"timestamp\" "}}]}},
{"grok":{"if": "ctx.dns.question.type == 'A'", "field": "dns.question.name", "patterns":[
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ac$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ad$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].au$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ae$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].af$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ag$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ai$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].al$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].am$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ao$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].aq$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ar$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].as$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].at$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].au$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].aw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ax$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].az$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ba$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bb$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bd$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].be$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bf$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bh$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bi$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bj$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bo$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].br$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bs$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bt$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].by$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch|ab|bc|mb|nf|nl|ns|nt|nu|on|pe|qc|sk|yk|alberta].ca$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cc$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cd$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cf$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ch$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ci$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ck$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cl$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].co$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cv$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cx$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cy$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].de$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].dj$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].dk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].dm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].do$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].dz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ec$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ee$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].eg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].er$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].es$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].et$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].eu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].fi$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].fj$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].fk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].fm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].fo$)",
"(?<dns.question.domain>[^.]+.[ac|co|com|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch|tm].fr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ga$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gd$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ge$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gf$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gh$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gi$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gl$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gp$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gq$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gs$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gt$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gy$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].hk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].hm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].hn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].hr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ht$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].hu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].id$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ie$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].il$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].im$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].in$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].io$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].iq$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ir$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].is$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].it$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].je$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].jm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].jo$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].jp$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ke$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].kg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].kh$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ki$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].km$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].kn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].kp$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].kr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].kw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ky$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].kz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].la$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].lb$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].lc$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].li$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].lk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].lr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ls$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].lt$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].lu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].lv$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ly$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ma$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mc$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].md$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].me$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mh$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ml$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mo$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mp$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mq$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ms$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mt$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mv$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mx$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].my$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].na$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].nc$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ne$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].nf$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ng$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ni$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].nl$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].no$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].np$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].nr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].nu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].nz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].om$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pa$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pe$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pf$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ph$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pl$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ps$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pt$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].py$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].qa$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].re$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ro$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].rs$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ru$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].rw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sa$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sb$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sc$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sd$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].se$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sh$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].si$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sl$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].so$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ss$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].st$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].su$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sv$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sx$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sy$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tc$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].td$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tf$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].th$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tj$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tl$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].to$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tt$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tv$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ua$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ug$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].uk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].us$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].uy$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].uz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].va$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].vc$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ve$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].vg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].vi$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].vn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].vu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].wf$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ws$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ye$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].yt$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].za$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].zm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].zw$)",
"(?<dns.question.domain>[^.]+.[^.]+$)"], "on_failure":[{"set":{"field":"tags","value" : "Parsing Error - A ? DOMAIN NAME"}}]}},
{"grok":{"if": "ctx.dns.question.type == 'AAAA'", "field": "dns.question.name", "patterns":[
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ac$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ad$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].au$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ae$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].af$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ag$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ai$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].al$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].am$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ao$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].aq$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ar$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].as$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].at$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].au$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].aw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ax$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].az$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ba$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bb$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bd$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].be$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bf$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bh$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bi$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bj$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bo$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].br$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bs$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bt$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].by$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch|ab|bc|mb|nf|nl|ns|nt|nu|on|pe|qc|sk|yk|alberta].ca$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cc$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cd$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cf$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ch$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ci$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ck$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cl$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].co$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cv$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cx$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cy$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].de$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].dj$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].dk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].dm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].do$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].dz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ec$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ee$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].eg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].er$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].es$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].et$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].eu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].fi$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].fj$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].fk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].fm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].fo$)",
"(?<dns.question.domain>[^.]+.[ac|co|com|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch|tm].fr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ga$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gd$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ge$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gf$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gh$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gi$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gl$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gp$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gq$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gs$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gt$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gy$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].hk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].hm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].hn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].hr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ht$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].hu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].id$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ie$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].il$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].im$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].in$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].io$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].iq$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ir$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].is$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].it$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].je$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].jm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].jo$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].jp$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ke$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].kg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].kh$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ki$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].km$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].kn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].kp$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].kr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].kw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ky$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].kz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].la$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].lb$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].lc$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].li$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].lk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].lr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ls$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].lt$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].lu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].lv$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ly$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ma$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mc$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].md$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].me$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mh$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ml$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mo$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mp$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mq$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ms$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mt$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mv$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mx$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].my$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].na$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].nc$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ne$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].nf$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ng$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ni$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].nl$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].no$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].np$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].nr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].nu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].nz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].om$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pa$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pe$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pf$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ph$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pl$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ps$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pt$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].py$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].qa$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].re$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ro$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].rs$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ru$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].rw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sa$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sb$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sc$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sd$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].se$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sh$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].si$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sl$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].so$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ss$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].st$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].su$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sv$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sx$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sy$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tc$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].td$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tf$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].th$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tj$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tl$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].to$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tt$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tv$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ua$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ug$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].uk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].us$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].uy$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].uz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].va$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].vc$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ve$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].vg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].vi$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].vn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].vu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].wf$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ws$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ye$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].yt$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].za$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].zm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].zw$)",
"(?<dns.question.domain>[^.]+.[^.]+$)"], "on_failure":[{"set":{"field":"tags","value" : "Parsing Error - AAAA ? DOMAIN NAME"}}]}},
{"grok":{"if": "ctx.dns.question.type == 'PTR'", "field": "dns.question.name", "patterns":[
"(?<dns.question.domain>.in-addr.arpa$)",
"(?<dns.question.domain>[^.]+.[^.]+$$)"]}},
{"grok":{"if": "ctx.dns.question.type == 'A'", "field": "dns.question.name", "patterns":[
"(?<dns.question.subdomain.sub1>\\d+[.]\\d+[.]\\d+[.]\\d+)",
"(?<dns.question.subdomain.sub1>[^.]+)"], "on_failure":[{"set":{"field":"tags","value" : "Parsing Error - A SUBDOMAIN 1"}}]}},
{"grok":{"if": "ctx.dns.question.type == 'AAAA'", "field": "dns.question.name", "patterns":[
"(?<dns.question.subdomain.sub1>\\d+[.]\\d+[.]\\d+[.]\\d+)",
"(?<dns.question.subdomain.sub1>[^.]+)"], "on_failure":[{"set":{"field":"tags","value" : "Parsing Error - AAAA SUBDOMAIN 1"}}]}},
{"grok":{"if": "ctx.dns.question.type == 'PTR'", "field": "dns.question.name", "patterns":[
"(?<dns.question.subdomain.sub1>\\d+[.]\\d+[.]\\d+[.]\\d+)",
"(?<dns.question.subdomain.sub1>[^.]+)"], "on_failure":[{"set":{"field":"tags","value" : "Parsing Error - PTR SUBDOMAIN 1"}}]}},
{"grok":{"if": "ctx.dns.type == 'reply'", "field":"dns.answers.name","patterns":[
"(?<server.ip>\\d+[.]\\d+[.]\\d+[.]\\d+$)",
"(?<dns.answers.name>[NXDOMAIN|NODATA-IPv6|NODATA-IPv4|SERVFAIL]$)",
"\\<(?<dns.answers.name>CNAME)\\>$",
"%{HOSTNAME:server.domain}$"],"on_failure":[{"set":{"field":"tags","value" : "Parsing Error - REPLY ANSWER NAME"}}]}},
{"grok":{"if": "ctx.dns.type == 'reply'", "field":"dns.question.name","patterns":[
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ac$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ad$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].au$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ae$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].af$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ag$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ai$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].al$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].am$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ao$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].aq$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ar$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].as$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].at$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].au$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].aw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ax$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].az$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ba$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bb$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bd$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].be$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bf$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bh$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bi$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bj$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bo$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].br$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bs$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bt$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].by$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].bz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch|ab|bc|mb|nf|nl|ns|nt|nu|on|pe|qc|sk|yk|alberta].ca$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cc$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cd$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cf$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ch$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ci$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ck$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cl$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].co$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cv$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cx$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cy$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].cz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].de$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].dj$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].dk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].dm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].do$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].dz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ec$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ee$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].eg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].er$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].es$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].et$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].eu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].fi$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].fj$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].fk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].fm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].fo$)",
"(?<dns.question.domain>[^.]+.[ac|co|com|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch|tm].fr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ga$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gd$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ge$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gf$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gh$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gi$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gl$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gp$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gq$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gs$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gt$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].gy$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].hk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].hm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].hn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].hr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ht$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].hu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].id$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ie$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].il$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].im$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].in$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].io$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].iq$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ir$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].is$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].it$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].je$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].jm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].jo$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].jp$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ke$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].kg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].kh$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ki$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].km$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].kn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].kp$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].kr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].kw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ky$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].kz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].la$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].lb$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].lc$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].li$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].lk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].lr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ls$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].lt$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].lu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].lv$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ly$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ma$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mc$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].md$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].me$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mh$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ml$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mo$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mp$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mq$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ms$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mt$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mv$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mx$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].my$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].mz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].na$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].nc$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ne$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].nf$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ng$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ni$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].nl$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].no$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].np$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].nr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].nu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].nz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].om$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pa$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pe$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pf$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ph$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pl$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ps$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pt$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].pw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].py$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].qa$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].re$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ro$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].rs$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ru$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].rw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sa$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sb$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sc$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sd$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].se$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sh$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].si$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sl$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].so$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ss$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].st$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].su$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sv$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sx$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sy$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].sz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tc$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].td$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tf$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].th$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tj$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tl$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].to$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tr$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tt$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tv$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tw$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].tz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ua$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ug$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].uk$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].us$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].uy$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].uz$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].va$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].vc$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ve$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].vg$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].vi$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].vn$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].vu$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].wf$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ws$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].ye$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].yt$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].za$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].zm$)",
"(?<dns.question.domain>[^.]+.[ac|co|gov|judiciary|ltd|me|mod|net|nhs|nic|org|parliament|plc|police|sch].zw$)",
"(?<dns.question.domain>[^.]+.[^.]+$)",
"(?<server.ip>\\d+[.]\\d+[.]\\d+[.]\\d+$)"],"on_failure":[{"set":{"field":"tags","value" : "Parsing Error - REPLY ? NAME"}}]}},
{"grok":{"if": "ctx.dns.type == 'reply'", "field":"dns.question.name","patterns":[
"%{HOSTNAME:server.domain}"],"on_failure":[{"set":{"field":"tags","value" : "Parsing Error - REPLY ? NAME"}}]}},
{"grok":{"if": "ctx.dns.type == 'reply'", "field":"dns.question.name","patterns":[
"(?<dns.question.subdomain.sub1>\\d+[.]\\d+[.]\\d+[.]\\d+)",
"(?<dns.question.subdomain.sub1>[^.]+)"
],"on_failure":[{"set":{"field":"tags","value" : "Parsing Error - REPLY ? NAME"}}]}},
{"geoip":{"field":"client.ip","target_field":"client.geo","ignore_missing":true}},
{"geoip" : {
"field" : "source.ip",
"target_field" : "source.geo",
"ignore_missing" : true
}
},
{
"geoip" : {
"field" : "destination.ip",
"target_field" : "destination.geo",
"ignore_missing" : true
}
},
{
"geoip" : {
"field" : "server.ip",
"target_field" : "server.geo",
"ignore_missing" : true
}
},
{
"geoip" : {
"field" : "host.ip",
"target_field" : "host.geo",
"ignore_missing" : true
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment