Thanks for the assist. That is pretty close to what I ended up with. I finally figured out the extractor can only return one value per pattern. I am guessing this is a Graylog limitation. So I copied and created new patterns for things like source and destination IP address so they both get returned in different fields.
Some of the log entries have additional data in them between some of the fields in the example above. So there may be 2 characters like DF in-between the PREC and TTL fields. Have not quite figured out how to handle that yet, but it does not seem to be effecting the extraction. It just ignores them ad it si not data I care about.
MAC address seems to just be wrong coming from DD-WRT syslog. I get an odd number fo octets. The example above has 13 instead of 8 and 3 numbers at the start. Have not looked into that problem yet.
It appears they only solution for DNS resolution is a plugin in the market place. But it seems to no longer be supported and is only for the source field. The data I need to resolve is in the message field. Thinking at this point I script and export the data from the DB, do an NSLOOKUP, append new entries to a CSV, and leverage a lookup table. Seems like a complicated and slow process. Am I missing anything here?