Absolutely! Here is the processor that is confirmed to work, including the back reference I was looking for.
{
"gsub": {
"description": "Populate dns.question.registered_domain from dns.question.name",
"field": "dns.question.name",
"target_field": "dns.question.registered_domain",
"pattern": ".*\\.([^.]+\\.[^.]+)",
"replacement": "$1",
"ignore_missing": true,
"ignore_failure": false
}
}
And it transforms these:
radio.twc.weather.com
screenhub-builds.s3.amazonaws.com
mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
to these:
weather.com
amazonaws.com
sophos.com
Thanks again!