Thanks for the fast response,
i thought KQL is based on Lucene? So is lucene "the standard"?
So for this script i need to change to lucene and just put it in there ? I cant see multiple lines there, just one for "Search".
So i changed from splunk to elk bc i thought it would be easier for my project. isnt there any chance to create a new value, based on the string length of dns querys ?
Best regards