Hey everyone, I'm using an ELK stack for our bind (DNS) query logs and would like to create a "Top Domains" visualization which I can almost do with the full 'dns_dest' field. But, I don't want the full URL of the lookup, just the domain name.
Can I use a scripted field to create a new field with the domain? It's just for visualization purposes (I think) so a scripted field might do the trick.
Would it be more efficient to have Logstash do this with a filter?