First, read guideline, how to paste content, especially code using ``` code ```
You use grok which is in my opinion too specific, it’s better to use grok patterns already included in graylog:
WINDNS_BASE16NUM - is not necessary, use rather BASE16NUM
WINDNS_PROTOCOL (UDP|TCP) - correct one with | between options
WINDNS_SNDRCV (Snd|Rcv) - correct one with | between options
WINDNS_IP - is not necessary, use rather IP
I edited your grok a bit: %{WINDNS_TIME:Time} +%{WINDNS_THREADID:ThreadID} +%{NOTSPACE:Context} +%{BASE16NUM:InternalID} +%{WINDNS_PROTOCOL:Protocol} +%{WINDNS_SNDRCV:SndRcv} +%{IP:IP} +%{WINDNS_XID:XID} %{WINDNS_OPCODE:Opcode} +\[%{WINDNS_FLAGSHEX:FlagsHex}%{WINDNS_FLAGSCHAR:FlagsChar}%{WINDNS_RESPONSE:Response}]%{WINDNS_QTYPE:QType}%{GREEDYDATA:dns_query_name}
I created simplified version of your grok: %{WINDNS_TIME:Time} %{WORD:ThreadID} %{WORD:Context}%{SPACE}%{WORD:InternalID} %{WORD:Protocol} %{WORD:SndRcv} %{IP:IP}%{SPACE}%{WORD:XID}%{SPACE}(?:Q|R|U) ?(Q|R|U)?%{SPACE}\[%{GREEDYDATA:FlagsHex}%{SPACE}%{WORD:Response}\]%{SPACE}%{WORD:QType}%{SPACE}%{GREEDYDATA:Name}
Best way to debug grok is to use either graylog (one pattern at once and add) or onine grok editor: http://grokdebug.herokuapp.com/
