I have noticed some odd behavior with the "TLD filter"
I have the following filter
if [dns][query] !~ /in-addr.arpa$/ {
tld {
source => "[dns][query]"
target => "[dns]"
}
}
When the above runs it will populate all the TLD fields but it removes any other "[dns][something]" fields, like the [dns][query] field is missing
Anyone else seen this behavior?