This is grok pattern ::
WINDNS_BASE16NUM (?<![0-9A-Fa-f])(?:[±]?(?:0x)?(?:[0-9A-Fa-f]+))
WINDNS_FLAGSCHAR (\s+[A T D R]{1,4}\s+) (\s+[A T D R]{1,4}\s+[A T D R]{1,4}\s+) (\s+[A T D R]{1,4}\s+[A T D R]{1,4}\s+[A T D R]{1,4}\s+) \s+
WINDNS_FLAGSHEX ([0-9]+)
WINDNS_IP (?<![0-9])(?:(?:25[0-5] 2[0-4][0-9] [0-1]?[0-9]{1,2})[.](?:25[0-5] 2[0-4][0-9] [0-1]?[0-9]{1,2})[.](?:25[0-5] 2[0-4][0-9] [0-1]?[0-9]{1,2})[.](?:25[0-5] 2[0-4][0-9] [0-1]?[0-9]{1,2}))(?![0-9]) ((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4} :)) (([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4} ((25[0-5] 2[0-4]\d 1\d\d [1-9]?\d)(.(25[0-5] 2[0-4]\d 1\d\d [1-9]?\d)){3}) :)) (([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2}) :((25[0-5] 2[0-4]\d 1\d\d [1-9]?\d)(.(25[0-5] 2[0-4]\d 1\d\d [1-9]?\d)){3}) :)) (([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3}) ((:[0-9A-Fa-f]{1,4})?:((25[0-5] 2[0-4]\d 1\d\d [1-9]?\d)(.(25[0-5] 2[0-4]\d 1\d\d [1-9]?\d)){3})) :)) (([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4}) ((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5] 2[0-4]\d 1\d\d [1-9]?\d)(.(25[0-5] 2[0-4]\d 1\d\d [1-9]?\d)){3})) :)) (([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5}) ((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5] 2[0-4]\d 1\d\d [1-9]?\d)(.(25[0-5] 2[0-4]\d 1\d\d [1-9]?\d)){3})) :)) (([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6}) ((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5] 2[0-4]\d 1\d\d [1-9]?\d)(.(25[0-5] 2[0-4]\d 1\d\d [1-9]?\d)){3})) :)) (:(((:[0-9A-Fa-f]{1,4}){1,7}) ((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5] 2[0-4]\d 1\d\d [1-9]?\d)(.(25[0-5] 2[0-4]\d 1\d\d [1-9]?\d)){3})) :)))(%.+)?
WINDNS_NAME (?:\s+.+ )
WINDNS_NOTSPACE \S+
WINDNS_OPCODE ([A-Z]{1})
WINDNS_PROTOCOL (UDP TCP)
WINDNS_QTYPE (?:\s\S+ )
WINDNS_QUERYRESP (\s+R\s+ \s+)
WINDNS_RESPONSE ([A-Z]+)
WINDNS_SNDRCV (Snd Rcv)
WINDNS_THREADID [a-zA-Z0-9]{4}
WINDNS_TIME (?:0?[1-9] 1[0-2])[/-](?:(?:0[1-9]) (?:[12][0-9]) (?:3[01]) [1-9])/-{1,2}\s(?!<[0-9])(?:2[0123] [01]?[0-9]):(?:[0-5][0-9]):(?:(?:[0-5]?[0-9] 60)(?:[:.,][0-9]+)?)\s(A P)M
WINDNS_XID ([a-z0-9]{4})