Exactly correct! Using btool, I was able to see the order that the extractions are applied, and confirmed what you said. EXTRACT-extractDomain = (?<domain>(?:(?:(?:[^\.]+\.)?(?<tld>(?:[^\.\s]{2})(?:(?:\.[^\.\s][^\.\s])|(?:[^\.\s]+)))))).$ in questionname EXTRACT-opcode = (?<operation>[ R]) (?<opcode>.) \[(?<hexflags>[0-9A-Fa-f]+) (?<flags>....) (?<response>[^\]]+)\] EXTRACT-protocol = (?<packetid>[0-9A-Fa-f]*) (?<protocol>UDP|TCP) (?<direction>\w+) (?<src_ip>[0-9A-Fa-f\.\:]+)\s+ EXTRACT-question1 = \] (?<questiontype>\w+)\s+(?<questionname>.*) EXTRACT-question2 = \] (?<questionname>[^\s]*)$ EXTRACT-threadid = (?<threadid>[0-9A-Fa-f]+)\s+(?<context>PACKET) When I renamed to zzExtractDomain, it works great because the questionname has been filled at that point Thanks! ... View more

macros.conf is normally not replicated to indexers. This is why it works in stand-alone and not with a distributed search to indexer or cluster. You can add it in distsearch.conf. ... View more

It's interesting..this seems to work for very recent events (with the last 8 hours), but when I got outside of that window, there are no results. I'm guessing it has something to do with the bucketing..Any other ideas? ... View more

thanks I edited the answer to fix ... View more