Over a number of months I've developed a system to parse and extra data from the pihole log file. I've use the logstash grok extensions to regex. The system I developed to use these strings focusses on the outbound request strings and very little attention is paid to the replies so if you are interested in the replies you may have to dig into them a little deeper.
Please feel free to copy, modify and use to suit your own purposes.
The main pattern is:
%{LOGTIME:Timestamp} %{LOGPROG:Prog}: ((%{LOGACTIONFROM:ActionFrom} %{LOGDOMAIN:DomainFrom} %{LOGDIRECTIONFROM:DirectionFrom} %{LOGEOLFROM:EndOfLineFrom})|(%{LOGACTIONTO:ActionTo} %{LOGDOMAIN:DomainTo} %{LOGDIRECTIONTO:DirectionTo} %{LOGEOLTO:EndOfLineTo})|(%{LOGACTIONIS:ActionIs} %{LOGDOMAIN:DomainIs} %{LOGDIRECTIONIS:DirectionIs} %{LOGEOLIS:EndOfLineIs}))
The custom patterns are:
LOGTIME ^(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s{1,2}[0-9]{1,2} [0-9]{2}:[0-9]{2}:[0-9]{2}
LOGPROG dnsmasq\[\d{1,}\]
LOGACTIONFROM query\[(A{1,5}|HTTPS|SOA|TXT|PTR|SVCB|SRV|NAPTR|NS|type=\d{1,5})\]
LOGACTIONTO forwarded
LOGACTIONIS reply|regex blacklisted|exactly blacklisted|special domain|cached|gravity blocked|Rate\-limiting|config|%{LOGACTIONOTHER}
LOGACTIONOTHER (Apple iCloud Private Relay domain)
LOGACTION %{LOGACTIONIS}|%{LOGACTIONTO}|%{LOGACTIONFROM}|%{LOGACTIONOTHER}
LOGDIRECTIONFROM from
LOGDIRECTIONIS is
LOGDIRECTIONTO to
LOGDOMAIN ({%LOGIP}|error|((?:[A-Z0-9a-z-_~:\/?#\[\]\-@!\$&'\(\)\*\+,:%=]*)\.?)*)
LOGEMAIL [a-zA-Z][a-zA-Z0-9_.+-=:]+@%{LOGDOMAIN}
LOGIPV4ELEMENT [0-9]{1,3}
LOGIPV6ELEMENT ([0-9]|[a-f]|[A-F]){0,4}:{1,2}
LOGIPV4 %{LOGIPV4ELEMENT}\.%{LOGIPV4ELEMENT}\.%{LOGIPV4ELEMENT}\.%{LOGIPV4ELEMENT}
LOGIPV6 %{LOGIPV6ELEMENT}{1,8}
LOGIP %{LOGIPV4}|%{LOGIPV6}
LOGEOLIS .+$
LOGEOLFROM %{LOGIPV4}
LOGEOLTO %{LOGIPV4}