From 1542b741336d3b2847f79bba89db987b89ddf3f4 Mon Sep 17 00:00:00 2001
From: reyesj2 <94730068+reyesj2@users.noreply.github.com>
Date: Fri, 14 Nov 2025 09:24:58 -0600
Subject: [PATCH] move dns tld fields to its own pipeline

---
 .../elasticsearch/files/ingest/suricata.dnsv3 | 42 +++----------------
 1 file changed, 5 insertions(+), 37 deletions(-)

diff --git a/salt/elasticsearch/files/ingest/suricata.dnsv3 b/salt/elasticsearch/files/ingest/suricata.dnsv3
index 02b7f94ed..0e804364b 100644
--- a/salt/elasticsearch/files/ingest/suricata.dnsv3
+++ b/salt/elasticsearch/files/ingest/suricata.dnsv3
@@ -45,43 +45,11 @@
       }
     },
     {
-      "script": {
-        "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n  for (def q : ctx.dns.queries) {\n    if (q.name != null && q.name.contains('.')) {\n      q.top_level_domain = q.name.substring(q.name.lastIndexOf('.') + 1);\n    }\n  }\n}"
-      }
-    },
-    {
-      "script": {
-        "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n  for (def q : ctx.dns.queries) {\n    if (q.name != null && q.name.contains('.')) {\n      q.query_without_tld = q.name.substring(0, q.name.lastIndexOf('.'));\n    }\n  }\n}"
-      }
-    },
-    {
-      "script": {
-        "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n  for (def q : ctx.dns.queries) {\n    if (q.query_without_tld != null && q.query_without_tld.contains('.')) {\n      q.parent_domain = q.query_without_tld.substring(q.query_without_tld.lastIndexOf('.') + 1);\n    }\n  }\n}"
-      }
-    },
-    {
-      "script": {
-        "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n  for (def q : ctx.dns.queries) {\n    if (q.query_without_tld != null && q.query_without_tld.contains('.')) {\n      q.subdomain = q.query_without_tld.substring(0, q.query_without_tld.lastIndexOf('.'));\n    }\n  }\n}"
-      }
-    },
-    {
-      "script": {
-        "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n  for (def q : ctx.dns.queries) {\n    if (q.parent_domain != null && q.top_level_domain != null) {\n      q.highest_registered_domain = q.parent_domain + \".\" + q.top_level_domain;\n    }\n  }\n}"
-      }
-    },
-    {
-      "script": {
-        "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n  for (def q : ctx.dns.queries) {\n    if (q.subdomain != null) {\n      q.subdomain_length = q.subdomain.length();\n    }\n  }\n}"
-      }
-    },
-    {
-      "script": {
-        "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n  for (def q : ctx.dns.queries) {\n    if (q.parent_domain != null) {\n      q.parent_domain_length = q.parent_domain.length();\n    }\n  }\n}"
-      }
-    },
-    {
-      "script": {
-        "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n  for (def q : ctx.dns.queries) {\n    q.remove('query_without_tld');\n  }\n}"
+      "pipeline": {
+        "name": "suricata.tld",
+        "ignore_missing_pipeline": true,
+        "if": "ctx?.dns?.queries != null && ctx?.dns?.queries.length > 0",
+        "ignore_failure": true
       }
     }
   ]